Private equity funds are facing a surge in cyber attacks targeting their portfolio companies. This alarming trend has prompted the FBI, private equity leaders, and cybersecurity consulting teams like EY-Parthenon to raise concerns about the increasing cyber activity in PE transactions and portfolio companies. Hackers see these companies as easy targets with deep pockets that can pay hefty sums in ransomware demands.
Furthermore, legal and regulatory pressures are mounting on all types of portfolio companies, increasing the risk that a cyber incident will have severe repercussions on their reputation and post-incident recovery efforts. Legislations in the European Union and the United States now require companies in critical infrastructure sectors to report incidents promptly to the government. In addition, the Securities and Exchange Commission has implemented new rules that place pressure on senior management and boards to disclose their efforts in reducing cyber risk. Recent litigation in the US has also alerted companies to incorporate cybersecurity into their due diligence process to avoid potential claims of negligence in the event of a breach.
A single significant cybersecurity incident can disrupt a fund’s investment plans and delay the company’s exit from the portfolio. Unlike corporate parents, private equity funds don’t have dedicated cyber teams to provide direct protection to portfolio companies. Some funds are concerned that getting too involved in their portfolio company’s cybersecurity could increase risks for the fund itself.
Despite these challenges, private equity funds can play a crucial role in protecting their portfolio companies without taking over their cyber programs entirely. PE fund-level technology leaders can develop a comprehensive cybersecurity strategy throughout the ownership lifecycle of portfolio companies, starting from due diligence and acquisition to exit.
Here are some ways that funds can help enhance cybersecurity:
1. Stay focused on portfolio company cybersecurity throughout the ownership lifecycle: Funds can use cyber due diligence as an early indicator of potential issues to protect themselves from claims of negligence. By emphasizing cybersecurity during portfolio company onboarding, funds can include cyber outcomes in the strategic plans agreed upon by senior leadership. Implementing a program during the value creation period to track cybersecurity deficiencies and escalate responses will help all parties stay ahead of risks rather than waiting for incidents to occur. Having a clear understanding of cybersecurity goals before exit readiness leaves funds and portfolio companies in a better position to preserve value and address any concerns for future buyers.
2. Leverage purchasing power to drive efficiencies: Funds can establish “preferred partner” programs with reputable security vendors, encouraging vendors to lower prices and provide discounted services to portfolio companies without replacing their existing procurement process. Funds can also vet security vendors to ensure that portfolio companies are utilizing industry-leading providers. This approach benefits vendors by establishing them as trusted names in the portfolio and streamlining their channel to the market.
3. Collect data on portfolio company cybersecurity programs: Private equity funds have a unique position with an overview of all portfolio companies, allowing them to drive additional cybersecurity value. Funds can identify common pain points across different companies and bring in experts to reduce risks at scale.
4. Play a valuable role in enabling effective leadership: Funds typically have one representative on the portfolio company’s board. This board member can promote greater accountability and focus on cybersecurity. Moreover, funds often have influence over high-level leadership, ensuring that the right talent is driving cybersecurity efforts. This oversight enables funds to fulfill their role in high-level governance while making it clear that better cyber outcomes are expected.
Improving cybersecurity is crucial not only to mitigate potential financial and reputational risks but also to ensure portfolio companies can compete for government contracts and private sector business.
Implementing the strategies outlined above represents a groundbreaking shift for private equity funds in mitigating the risks posed by the growing threat of cyber attacks.
About the Author:
John Hauser is the EY Americas Transaction Support – Cyber Due-Diligence Leader. With nearly 20 years of public service and private sector experience, Hauser heads innovative and market-leading cyber due-diligence practice at EY US. His expertise helps clients navigate the heightened technology and legal cyber risks involved in transactions. Before joining EY US, Hauser served as a Special Agent with the FBI and as an Assistant United States Attorney, investigating and prosecuting complex cybercrime cases, including those involving international cybercrime rings and nation-state hackers stealing trade secrets from US corporations.
Disclaimer: The views expressed in this article are those of the author and do not necessarily represent the views of Ernst & Young LLP or any other member firm of the global EY organization.