In a recent Real Deals webinar in association with Control Risks, industry experts discussed the rising importance of cybersecurity across all businesses and how to mitigate the impact of an attack.

With the industry becoming more and more digitised, a focus on cybersecurity has become imperative. In the current landscape, private equity firms have also developed a greater appetite for technology-enabled assets, and they do not come without risk; cyber risk in particular.

Organisations are faced with the critical need to protect this increased volume of digital assets and transactions from a dizzying array of potential cyber threats and exposures, and PE firms and their portfolios are not exempt.

Speaking on a recent Real Deals webinar in association with Control Risks, the firm’s global head of cybersecurity, James Owen, noted that cybersecurity has been “supercharged” by the pandemic and by broader trends around the rising use of digital platforms.

BUSINESS RISK

Considering the implications of the increased use of digital platforms, it was agreed by the panellists that cybersecurity should be viewed as a business risk across all companies. Control Risks’ Owen noted: “The main point here is that, whilst the impact of a cyber attack can be significant, the best way to manage this risk is by treating it as a business risk issue rather as something very separate and very technical. It’s a risk management issue.”

Palatine senior investment director Andy Strickland agreed, stating that: “Cybersecurity is becoming a business risk and therefore an investor risk.” This is certainly an area that is becoming more and more crucial in the new working environment, especially for PE firms in the management of their portfolio companies. Strickland noted that with new ways of working, some businesses are becoming more conscious of cybersecurity considerations.

While cybersecurity is moving its way up the business agenda for some firms, not all businesses are aware of its importance.

Ropes & Gray partner Edward McNicholas explained that: “It is so vital to have companies shift their mindset into seeing this as a business risk to be managed. Companies are either zero or 100 on cyber risk - it is either nothing to worry about, or they’re terrified and paralysed that they could be hit by ransomware. Neither is the correct approach. It is one risk among many risks of running a business.”

Nonetheless, while cybersecurity is broadly acknowledged as an important consideration, concerns remain as to whether it is truly understood. Strickland said: “Cybersecurity is getting higher up the agenda at board level, but in terms of understanding how to deal with it, there is a gap.”

DUE DILIGENCE

Cybersecurity is clearly rising up the business agenda, but it is being considered at varying degrees throughout the deal process, the panellists agreed.

During the due diligence process, cybersecurity is becoming an increasingly important area to assess. Owen highlights that cyber DD can provide investors with “insights into existing and future cyber security challenges and insights on past incidents that could affect the value of the brand”. He added: “For a deal team, it will enable them to achieve more value in the acquisition and may help with contractual negotiations”.

With increasing competition for assets and transactions being completed in record time, cyber DD may not be at the forefront of GPs’ minds during pre-deal assessments. Strickland said: “When looking to invest [in a widely sought after asset], you are limited to a quick process, and in terms of doing all of the diligence you would like to do, it usually takes place post deal. Everybody would like to do more pre-deal, but it is a challenge.”

Indeed, with competitive auctions, a lot of the DD, including cyber DD, on businesses are likely to be done post acquisition. In addition, the speakers agreed that cyber programmes are rising up the list in regards to what buyers are asking about at exit.

Owen also highlighted the benefits for GPs of cyber assessments across their portfolio. He said: “On the portfolio side, what we’re increasingly finding is that it [cyber DD] is providing a prioritised view of the cybersecurity maturity of, not just the company itself, but providing a health check on investments across the portfolio as a whole. The findings of those due diligence exercises can then be used to benchmark the risks related to future acquisitions based on thresholds and risk tolerance levels.”

PRACTICE, PRACTICE, PRACTICE

Incident response plans and crisis management are crucial to protect a company against the impact of a cyber attack.

Owen emphasised the importance of planning and practice. “We spend a lot of time helping organisations to create plans for potential cyber attacks […] But the really critical thing is that you need to test those plans, you need to actually craft realistic scenarios that you or your portfolio companies might be subject to. That could be a supply chain compromise, an extortion-based attack and insider threat issue, and actually bring those to life through life-like simulations.”

He explained that testing of this sort is crucial so that people within organisations know their “roles and responsibilities” if a real incident were to occur.

“Our response teams are responding daily, if not hourly, to attacks around the world. And, it can be easy to identify a company that has rehearsed what to do and knows the roles and responsibilities of the different individuals involved in that response. The result of that is that they do tend to mitigate the impact on their critical assets a bit more and often restore and recover more quickly as well,” Owen said.

ATTACKS WITHIN

Of course, it is important to remember that PE firms themselves are also not immune to cyber attacks. As businesses that hold significant amounts of data on their portfolio and intellectual property, a breach can be hugely damaging. As a result, firms must practice what they preach and act in the same way that they would when managing their portfolio companies.

McNicholas advised that it is important to have a designated individual or individuals that are responsible for cybersecurity within the firm. He said: “If you don’t designate leadership in this area, there will be an effort by the leadership of the firm overall to just run the event straight off. They can bring all kinds of varying levels of information to an attack, which can be quite a challenge.”

Moreover, McNicholas offered an example of the areas in which PE firms have been subject to a breach. He said: “I think the real vulnerability in private equity that we’ve seen exploited again and again, is that people email around and send wiring instructions for large wires, in connection with deals.”

It was recommended that firms both have an individual responsible for cyber defence, as well as having good protections such as multi factor authentication in place to reduce risk.