Ask your typical Private Equity executive how he or she evaluates and manages the financial performance of their portfolio, and you’ll nearly certainly get a response along the lines of “We invest in companies that have solid assets, but not fulfilling their entire potential, we’ll deploy mature management and operational strategies, set financial performance targets that get benchmarked against peers, and ultimately, build a solid story that allows us to realize gains upon exit.”
Ask your typical Private Equity executive how he or she evaluates and manages the cybersecurity performance of their portfolio, and you’ll nearly certainly get a response along the lines of “Hmm, I’m not really concerned about that. We have a consultant that does some type of testing during deal due diligence, and once we make the investment the security folks at the portfolio company will continue to manage things, or, we have a consulting partner that we outsource cybersecurity to; and they take care of it.”
In a climate where cybersecurity events are increasing in frequency and costing companies millions, tens of millions, or hundreds of millions of dollars per event, the latter story is no longer acceptable. Relying on technical assessments during due diligence with recommendations that may or may not get enacted and outsourcing cybersecurity to third parties is no longer enough. Neither will withstand the scrutiny from investors if a major cyber event severely impacts individual company performance or worse, if it drags down the entire portfolio. It’s time for Private Equity firms to take a mature approach to cybersecurity throughout the lifecycle of an investment.
How best to proceed? Focus on four areas:
- Understanding what’s at risk
- Optimize the technical controls to those greatest areas of risk
- Ensure that financial controls are aligned to the largest areas of impact
- Do it all in way that is repeatable, dynamic, and provides for benchmarking and peer comparison so that everyone in the portfolio can evolve together and learn from each other.
Here’s a snapshot of each component:
Understanding what’s at risk – The most impactful way to understand what is at risk and translate cybersecurity into the language of business and private equity portfolio management is to undertake a cyber risk quantification exercise. By that we don’t mean “score” the cybersecurity program, but rather, translate cybersecurity into financial terms and figure out what type of cybersecurity events are possible based on the individual business. Effectively, write a representative set of cybersecurity event narratives and then utilize insights from the business to estimate the value of those events. A narrative can be simple, like a fraudulent funds transfer event, that might have a low impact because the company has a very stringent set of funds transfer protocols that limits the ability of anybody to transfer more than $10,000 without multiple checks and balances. Or, a scenario can be a complex event, like the manipulation of a manufacturing facility that impacts a production line and product quality, that results in $50M+ of revenue losses and product recall costs.
Optimize technical controls – Once you’ve conducted the first phase, you’ll have great line of sight into whether the technical controls are optimized to the most impactful areas of risk. Meaning, are resources being spent on those simple events that would not cause the business any real financial pain, to the detriment of the very impactful events that could cause the company to miss a quarter or year of earnings? Or are resources balanced appropriately with the greatest focus on those areas of operations that are tied to the events with the greatest impacts? Most often the answer is no, and this is where factors such as type of business, regulatory and compliance obligations, and emerging risk types all contribute to misalignment of controls. Take the healthcare industry for example – where the focus on protecting patient information due to HIPAA concerns has resulted in major spend and focus there, often to the detriment of security considerations for pharma and medical device manufacturing. Think about the impact – a HIPAA penalty might cost a few million dollars but a cyber event that taints an entire batch of pharmaceuticals and results in a public recall effort could cost tens of millions of dollars in cost and far more reputational damage.
Optimize financial recovery controls – Understanding your exposure in financial terms provides equally great insight into whether the financial control portfolio is optimized accordingly. Here, we’re talking about contractual protections, general financial wherewithal, and insurance, with the insurance portfolio holding the greatest area of prominence. Similar logic applies here – is coverage optimized to the greatest areas of risk so that if one of the most impactful events occurs, most of the costs and liabilities will be covered? This is where relying exclusively on a cyber insurance policy can be perilous, because while cyber insurance policies work extremely well for what they are typically designed to cover (breach response costs, business interruption losses, 3rd party liabilities), they are not “catch-all” policies and typically do not cover funds transfer fraud losses, property damage, bodily injury, product recall costs, and other more traditional loss types. Take the energy industry for example, where cyber events can now cause major bodily injury and property damage losses and thus where attention should be paid to the property and general liability policies to ensure recovery for those losses, not on purchasing a traditional cyber insurance policy that would better respond to a breach of credit card numbers.
Implement a process that is dynamic and repeatable – quite simply, cyber risk management is not a once a year endeavor, but rather, an ongoing and evolutionary process that needs to adapt as risks evolve and companies change. The great news about the aforementioned approach is that the quantification component can serve as the evolutionary driver – because if frequent attention is paid to the event narratives and how they are evolving as security controls are deployed, insurance modifications are made, or a new company is brought into the portfolio, they can serve as the basis for a cyber risk “target profile” with companies expected to meet or exceed the target profile on a continuous basis. Further, when this framework is utilized across the entire portfolio, companies can be benchmarked against each other and best practices can be more easily shared for the benefit of the entire group.
Think of the entire approach as the cybersecurity equivalent of financial management and reporting, as far as a means to provide understanding in a language that the private equity principals can understand and more effective action and a way for performance to be measured and evolved. With the benefits extending beyond just the day to day cyber risk management of any particular company, to conversations with investors that are demanding more confidence as to how cybersecurity risks are being managed, for fundraising confidence and a major differentiator in the global competition for dollars, and just as importantly, to establish a trustworthy narrative than can be used when it’s time to exit an investment and achieve optimal sale value. Buyers would have far less reason to question what cyber “risk” they are also inheriting, but rather see it plain and simple, as well as how the company has managed it over time.
Ultimately, when the game gets changed the narrative flips and that’s a great advantage for Private Equity firms that are playing on an elevated level. Now, ask a private equity executive how they evaluate and the manage cybersecurity performance of the portfolio and the answer becomes, “We utilize a very mature process that rests on understanding the financial exposure of cybersecurity within the portfolio, so that we can optimize our deployment of financial and technical controls to focus on what matters most. That allows us to set target performance levels that we measure and benchmark companies against, and all the while we’re building a track record that can be used to our advantage when it’s time to exit the investment.”