Proactive cyber risk management is essential to preserving value across the investment lifecycle, says KYND chief executive and founder Andy Thomas.

RD: What does KYND do, and what value do you bring to private equity firms?

Andy Thomas: Firstly, it is important to note that we are not a cybersecurity business. We are cyber risk management experts. We do this on a non-penetration basis, essentially outward-looking in, so gaining cyber risk insights from KYND is simple and quick. 

We began our journey by focusing on the insurance market back in 2018. Insurance companies at that time were starting to suffer significant losses associated with increased ransomware attacks, and we were able to help better inform their decision making around who they were willing to insure. 

We see the risk of cyber losses concentrating in numerous industries and will continue to expand our industry footprint. Recently, we have been drawn into the private equity world, as private equity firms have begun facing the same issues as insurance companies five years ago. As cyberattacks continue to rise in frequency and sophistication, they want to understand the cyber risk profile of portfolio companies and target companies, as what was once a peripheral concern has become mainstream.

Cybersecurity is a very complex area and we see it as our role to ease that complexity for a non-specialist audience, enabling people to prioritise those risks directly connected to attacks, rather than worrying about every potential risk that exists. 

RD: What role does cyber risk management play in the due diligence phase, in particular?

Thomas: There can be a significant degree of tech due diligence carried out on investments; firms that are really looking to get under the bonnet to see how things are done. A necessary component of that involves insight into cybersecurity governance within the business. Instant, easy-to-understand exposure visibility such as KYND’s enables private equity firms to easily confirm external cyber risk profiles and internal cyber risk processes in a light-touch manner, as opposed to an expensive consultant-led due diligence exercise. 

We provide tailored, focused reports that highlight priority issues that have been identified within the tech infrastructure of a business. We also explore the target company’s internal processes and cyber maturity using a simple questionnaire that helps private equity firms quickly get to the nub of the matter. Again, thanks to the close cooperation with our insurance clients, we’ve learned a lot in terms of how they evaluate a company’s internal and external cyber posture.

RD: How should private equity firms then integrate cyber risk management into the asset management or value creation phase?

Thomas: I recently had a conversation with a private equity firm that suffered a cyber incident almost immediately post-transaction, and it is important to be aware that this is one of the highest-risk periods in any investment. If a portfolio company suffers a disruptive cyberattack, it leads to increased expense, reputational damage and lost focus on meeting business objectives. The business is distracted by the acquisition process and so its exposure, post-deal, may be significant. 

During due diligence, it’s important for firms to prioritise actions for those early days after the deal is completed and then continually monitor the portfolio company thereafter to ensure they stay ahead of the dynamic cyber threat landscape. We enable both by allowing the private equity firm to quickly gain instant insight into the risk profile and risk maturity of each business, as well as help portfolio organisations to address existing and new vulnerabilities before cybercriminals exploit them. 

This cooperation has proven successful as private equity firms do not want to become the IT department of their portfolio companies. Rather, they want to be able to monitor, support and nudge firms that appear in need of improvement because cyber incidents are undoubtedly a real disruption to any business.

In 2023, one of our global asset management clients published a whitepaper that revealed that cyber incidents have a material and lasting impact on opex, capex and SG&A costs. Being burdened with those increased costs for an extended period of time can have a significant impact on value. These are the tangible impacts of an incident, and don’t even count the brand or reputational risk to impacted firms.

RD: How can you gauge the cybersecurity culture of a business and why is that so important?

Thomas: It matters because the more mature a company’s cybersecurity culture is, the better positioned it will be to respond to any incident, and the more likely it will be to put everything in place to ensure that everyone connected to the business understands cyber risk exposure. 

This could include having the right cyber training in place to ensure cyber risk is front of mind for everyone in the business, such as simulated phishing exercises and sensitivity to data security and confidentiality. That culture has to permeate the entire company and safe behaviour has to be infused into corporate culture. It is no longer sufficient for only senior management to be aware of the risks. 

We find that one of the best indicators of a company’s cyber culture can be seen in how they respond when we tell them that they are exposed to a critical vulnerability in their infrastructure. If a company recognises the benefits of having more good-guy-eyes on the business in order to spot vulnerabilities that the bad guys could exploit, that is generally a good sign. Conversely, if an organisation cannot be contacted, or is resistant to what we have to tell them, that is typically a sign of a poor cybersecurity culture and a lack of cyber maturity.

In addition, with an ever-changing attack surface, new vulnerabilities arise constantly; therefore continuous risk monitoring of portfolio companies has now become integral for private equity portfolio management processes. 

Obtaining ongoing visibility into organisations’ risk profiles not only enables them to proactively oversee digital risk across portfolios but also fosters engagement with the organisations, as witnessed by our clients.

RD: How can private equity firms support their portfolio companies when it comes to accessing cyber insurance?

Thomas: In a digital-first and interconnected era, cyber insurance is no longer a luxury, but a vital component of an effective cyber risk management programme for businesses of all types and sizes. But obtaining and keeping this much-needed coverage is not that simple. 

With our background, we understand what insurers are looking to focus on, and therefore the cybersecurity standards that private equity firms have to ensure are in place within their portfolio companies for them to be insurable. We are able to assist with that process, helping businesses ensure they can access the right insurance at the right cost. 

RD: How important is cyber risk management to the exit process?

Thomas: While the cyber risk profile of a company may not directly and immediately impact its value, it will certainly impact the ease of sale. The cyber risk landscape is ever-evolving, and organisations must continually adapt to it to avoid reputational, financial, or legal repercussions. 

When we are monitoring portfolio companies on a continual basis, we produce a set of reports that are designed for the board of that business, which show how the risk profile of an organisation has evolved over time and how it compares to its peers. 

When it comes to preparing a company for exit, these same reports can be used to demonstrate the cyber resilience of the business to prospective buyers, complementing their due diligence efforts. Maintaining a close eye on cyber readiness can also help to resolve any major issues that could threaten to undermine the exit process. If a company suffers an incident the week before closing a deal, that could derail the transaction. Heightened risk awareness during these key periods can be extremely valuable. 

RD: How is the regulatory environment evolving when it comes to cybersecurity and how do firms need to respond?

Thomas: The Digital Operational Resilience Act, or DORA, in the EU, will have implications for private equity firms. It is not entirely clear what form that impact will take as of yet, but the consensus is that private equity firms will need to evidence that they have active oversight of the cybersecurity and risk posture of the businesses they invest in, and that they are doing everything they can be reasonably expected to do in order to protect their investors’ money. 

It certainly seems as though this will be the minimum required from this regulation, and having active cyber risk governance and monitoring of portfolio companies in place would therefore be a major plus.

RD: How should firms approach resourcing their cyber risk management function as a firm, and within portfolio companies, including through partnerships with experts?

Thomas: No private equity firm wants to step in and take over the cybersecurity function from a portfolio company’s own IT team. They simply do not have the bandwidth. I would also add that none of the private equity clients that we speak with would be willing to instruct their portfolio companies to install software within their networks. 

Instead, the ethos seems to be ‘trust but verify’. You must trust your portfolio companies to do what is right and what they say they will do, but then monitor to make sure that that is the case. 

Equally, portfolio companies are likely to have their own existing relationships with experts and it is neither the job of the private equity firm, or us at KYND, to replace those relationships. Instead, we are here to provide guidance and monitoring, helping those businesses prioritise and aiding them in using the resources and expertise that they already have at their disposal wisely. 

We do not identify issues and then offer to fix them. That is not our business model. We provide insights that IT departments and their services providers can use to quickly identify issues that we have flagged, enabling them to ultimately fix them themselves and become more resilient.

This content was produced in association with Kynd - click here to find out more about Kynd on our Drawdown Service Provider Profile