Private equity must wise up to cybersecurity
Private equity practitioners must act to avoid becoming the newest soft target for cybersecurity attacks, argues Nazo Moosa, an investment committee member at Riyad Taqnia Fund
As investors, we are used to rigorously assessing the risks that our portfolio companies face. So why is it that the private equity industry has been slow to address what is now one of the most complex risks that their own organisations are facing - their digital vulnerabilities?
Two years ago, I participated in a private equity oriented cybersecurity panel that addressed just this point. Despite that positive start, it is apparent that the discussion has moved on only slightly. We have seen the wider financial services sector wise up faster, with wholesale and retail banks now spending billions on digital resilience; while law and accountancy firms are no longer the soft targets they once were. Is private equity now the weakest link?
It is an inescapable fact that billions have been lost to cybercrime in the last two years alone. Large-scale destructive attacks have jeopardised multi-billion dollar transactions - with examples including Verizon and Yahoo - and influenced political outcomes, such as the US Democratic National Committee.
The [PE] sector is inevitably exposed to sensitive and highly confidential transactional and shareholder data – all of which is vulnerable to intrusion and leak" Nazo Moosa, Riyad Taqnia Fund
While Europe has not experienced the same level of cyber drama as the US, we have seen major companies such as Talk Talk, Lloyds, GSK and most recently Siemens targeted, often with calamitous consequences. In the UK, crime data from the Office of National Statistics jumped 30% when digital crime was included in its estimates. The European Parliament has taken note, introducing the game-changing general data protection regulation (GDPR), which will hold companies accountable for not having sufficiently robust security and data protection in place - with sanctions as high as 4% of global sales. This legislation includes strict reporting guidelines following a breach and gives victims the right to compensation.
All this poses particular challenges for private equity. The sector is inevitably exposed to sensitive and highly confidential transactional and shareholder data – all of which is vulnerable to intrusion and leak. Funds face not only their own digital risks but also those of their portfolio companies. Resource is a further issue. All but the very largest alternative asset managers are run with outsourced or minimal back office functions. Most do not have operational boards, a chief operating officer, or for that matter a chief technology office, chief information officer, CISO, chief information security officer or the now frequently appointed chief data officer.
Focus on detail
Unlike public company board members who view themselves as guardians of public shareholder value, private equity investors tend to focus more on active value creation - driving top-line growth and trimming costs - with perhaps less attention paid to more seemingly mundane, administrational processes. However, these processes do protect value and now is the time to act.
Private equity must avoid becoming the newest soft target. The good news is that guidelines exist to help private equity firms protect themselves. A manageable set of precautions can significantly improve a fund's security and increase its levels of compliance with the new GDPR legislation.
Private equity firms might also consider taking the following practical steps to strengthen their digital defences. First, they must build senior management's understanding of how systems, assets and processes map to each other in the context of the fund's appetite for cyber risk. This must include regular reviews, ideally with a designated individual responsible for this particular area of compliance.
Second, they must understand the business and human elements of cyber risk and build a process-centric approach to cyber protection with frequent reviews of policy and training of staff. They must also consider outsourcing with an understanding that this alone does not nullify the risk but can often be more effective, especially for smaller organisations without the technology and training skills in-house.
Fourth, private equity firms must recognise that cyber insurance policies often do not protect against indirect costs and reputational damage, which can be significant, but an extra layer of protection against this complex risk can be meaningful and serve a signalling function.
And finally, GPs must apply an extra level of cybersecurity-related due diligence to portfolio companies, with a specific action plan for rectifying any weaknesses in systems and processes during the initial 100-day period.
More on Advisory
Arma intensifies US acquisition talks with Mediobanca backing
Deal to acquire its first US peer could come as soon as next year
Alantra seeks to bolster US presence via buys, organic growth for advisory division - IB CEO
Financial services group aims to grow the geographical presence and sector specialism of its investment banking group
Investec acquires majority interest in corporate finance firm Capitalmind
Transaction will see the advisory firms fully integrating their M&A and corporate finance teams
Mediobanca acquires Arma Partners
Deal will increase Italian bank's investment banking fee pool by 30% as wider sector suffers from M&A slump
Latest News
Stonehage Fleming raises USD 130m for largest fund to date, eyes 2024 programme
Sponsor acquired the public software group in July 2017 via the same-year vintage Partners Group Global Value 2017
Stonehage Fleming raises USD 130m for largest fund to date, eyes 2024 programme
Czech Republic-headquartered family office is targeting DACH and CEE region deals
Stonehage Fleming raises USD 130m for largest fund to date, eyes 2024 programme
Ex-Rocket Internet leader Bettina Curtze joins Swiss VC firm as partner and CFO
Stonehage Fleming raises USD 130m for largest fund to date, eyes 2024 programme
Estonia-registered VC could bolster LP base with fresh capital from funds-of-funds or pension funds