Private equity must wise up to cybersecurity
Private equity practitioners must act to avoid becoming the newest soft target for cybersecurity attacks, argues Nazo Moosa, an investment committee member at Riyad Taqnia Fund
As investors, we are used to rigorously assessing the risks that our portfolio companies face. So why is it that the private equity industry has been slow to address what is now one of the most complex risks that their own organisations are facing - their digital vulnerabilities?
Two years ago, I participated in a private equity oriented cybersecurity panel that addressed just this point. Despite that positive start, it is apparent that the discussion has moved on only slightly. We have seen the wider financial services sector wise up faster, with wholesale and retail banks now spending billions on digital resilience; while law and accountancy firms are no longer the soft targets they once were. Is private equity now the weakest link?
It is an inescapable fact that billions have been lost to cybercrime in the last two years alone. Large-scale destructive attacks have jeopardised multi-billion dollar transactions - with examples including Verizon and Yahoo - and influenced political outcomes, such as the US Democratic National Committee.
The [PE] sector is inevitably exposed to sensitive and highly confidential transactional and shareholder data – all of which is vulnerable to intrusion and leak" Nazo Moosa, Riyad Taqnia Fund
While Europe has not experienced the same level of cyber drama as the US, we have seen major companies such as Talk Talk, Lloyds, GSK and most recently Siemens targeted, often with calamitous consequences. In the UK, crime data from the Office of National Statistics jumped 30% when digital crime was included in its estimates. The European Parliament has taken note, introducing the game-changing general data protection regulation (GDPR), which will hold companies accountable for not having sufficiently robust security and data protection in place - with sanctions as high as 4% of global sales. This legislation includes strict reporting guidelines following a breach and gives victims the right to compensation.
All this poses particular challenges for private equity. The sector is inevitably exposed to sensitive and highly confidential transactional and shareholder data – all of which is vulnerable to intrusion and leak. Funds face not only their own digital risks but also those of their portfolio companies. Resource is a further issue. All but the very largest alternative asset managers are run with outsourced or minimal back office functions. Most do not have operational boards, a chief operating officer, or for that matter a chief technology office, chief information officer, CISO, chief information security officer or the now frequently appointed chief data officer.
Focus on detail
Unlike public company board members who view themselves as guardians of public shareholder value, private equity investors tend to focus more on active value creation - driving top-line growth and trimming costs - with perhaps less attention paid to more seemingly mundane, administrational processes. However, these processes do protect value and now is the time to act.
Private equity must avoid becoming the newest soft target. The good news is that guidelines exist to help private equity firms protect themselves. A manageable set of precautions can significantly improve a fund's security and increase its levels of compliance with the new GDPR legislation.
Private equity firms might also consider taking the following practical steps to strengthen their digital defences. First, they must build senior management's understanding of how systems, assets and processes map to each other in the context of the fund's appetite for cyber risk. This must include regular reviews, ideally with a designated individual responsible for this particular area of compliance.
Second, they must understand the business and human elements of cyber risk and build a process-centric approach to cyber protection with frequent reviews of policy and training of staff. They must also consider outsourcing with an understanding that this alone does not nullify the risk but can often be more effective, especially for smaller organisations without the technology and training skills in-house.
Fourth, private equity firms must recognise that cyber insurance policies often do not protect against indirect costs and reputational damage, which can be significant, but an extra layer of protection against this complex risk can be meaningful and serve a signalling function.
And finally, GPs must apply an extra level of cybersecurity-related due diligence to portfolio companies, with a specific action plan for rectifying any weaknesses in systems and processes during the initial 100-day period.
More on Advisory
Turning the tables – an M&A downturn means investment banks are now targets themselves
Some dealmakers with healthy balance sheets and willingness to go countercyclical are pursing acquisitions
Travers Smith bolsters funds practice with hire from Proskauer
Tosin Adeyeri joins with particular experience in secondary portfolio transactions
Unquote British Private Equity Awards 2023: one week left to enter
Submit your entry for the 2023 Unquote British Private Equity Awards before 7th August 2023 at 4pm
Palatine reaps 6x money on SBO of Anthesis to Carlyle
GP will be reinvesting in UK-headquartered sustainability firm, acquiring a minority stake
Latest News
Stonehage Fleming raises USD 130m for largest fund to date, eyes 2024 programme
Multi-family office has seen strong appetite, with investor base growing since 2016 to more than 90 family offices, Meiping Yap told Unquote
Permira to take Ergomed private for GBP 703m
Sponsor deploys Permira VIII to ride new wave of take-privates; Blackstone commits GBP 200m in financing for UK-based CRO
Partners Group to release IMs for Civica sale in mid-September
Sponsor acquired the public software group in July 2017 via the same-year vintage Partners Group Global Value 2017
Change of mind: Sponsors take to de-listing their own assets
EQT and Cinven seen as bellweather for funds to reassess options for listed assets trading underwater