February 9, 2022
The cyber security checklist for private equity executives
How to leverage cyber security throughout the investment lifecycle for true commercial impact.

Traditional engagement with cyber security from the funding community has tended toward compliance-driven only. However, a tick box exercise alone does not effectively mitigate cyber risk, and furthermore neglects commercial opportunity to closer control ROI throughout the investment lifecycle, ultimately preventing portfolio value erosion.  

70% of General Partners (GPs) acknowledge that cyber security has a very real and quantifiable effect on a portfolio’s value, and there is growing acceptance of its application to the investment thesis as a risk equal to all others. Limited Partners (LPs) are reinforcing this trend, with the Institutional Limited Partners Association (ILPA) in November 2021 issuing the standardised due diligence questionnaire (DDQ) including cyber security components.

There of course remains the very real need for compliance and covering the basics such as GDPR and CCPA, created in part to help defend against very real threats. Last year the industry reported a 238% increase in cyber-attacks, many of which resulted in prominent regulatory fines, and brand and investment damage to PE houses. This isn’t set to slow down, with predictions of global damages from cybercrime costing $10.5trillion by 2025.  

The following checklist details cyber security practices above traditional compliance, which private equity executives can leverage for deeper visibility of a target’s cyber risk during the investment stage, and then throughout the investment lifecycle to ultimately protect against portfolio value erosion.  

Pre-investment

Utilising open-source intelligence (OSINT) at an early stage can expedite the visibility of critical risks before GPs invest further time and resources into due diligence. This is an opportunity to uncover potential vulnerabilities associated with key individuals, intellectual property, or current company practices.

The goal at this stage is to uncover hidden liabilities which could require further investment in the long term, for example a company with disgruntled employees, or prominent members of the target company who are sanctioned, disqualified officers or a politically exposed person.  

Consider engaging an OSINT specialist to gain early visibility of:

  • Key stakeholders of the company through conducting digital footprint investigations
  • Compromised data existing on the dark web relating to a specific company
  • Legal and financial risk such as mapping of key locations associated with a target company in consideration of AML and regulatory complexities.  

Contract negotiation

For effective diligence, cyber risk should be incorporated and standardised within the deal thesis as an equal risk to others, gearing toward clear reporting and actionable results. Active cyber security investigation and review during negotiation helps determine and negotiate an asset’s value and prevents costly remediation post-purchase. Your investment should have the required cyber security standards in place and roadmap to maintain them. It is important at this stage to assess the target’s current cyber security posture across the three key pillars, technological, procedural and personnel, to uncover risks otherwise out of reach and unconsidered.

  • Review company processes, policies, and procedures by way of a cyber security assessment
  • Evaluate previous penetration test findings and ensure remediation measures are validated, particularly high and medium risk issues
  • Consider an additional penetration test to assess company systems, software, and ultimately defence and control over critical IP and data.

Portfolio management

Investing in the cyber security defences of your portfolio company is one of the clearest demonstrations of ROI for cyber security throughout the investment life cycle. There are hard costs associated with a breach and this risk landscape is ever-changing. Risks initially identified as part of pre-investment due diligence can quickly evolve, so integrating cyber security into routine practices post investment needs to be a priority to mitigate this real risk of breach, starting with engendering a self-policing culture.  

The expansion of a portfolio company, a change of its software, renewal of an operating license or another seemingly insignificant vulnerability may become that single point of failure for opportunistic cyber attackers. Nurturing an internal security culture toward self-policing through the provision of social engineering awareness training is critical to minimise ongoing risks.  

Data management remains of course a priority in implementation of correct process and practices, as incorrect management could result in a data breach, causing considerable damage to company operations and reputation. Leaked sensitive information could be used for malicious activity, such as phishing and ransomware attacks, as well as impacting profitability and loss of market confidence.  

  • Review incident response plans, ensuring immediate access to the right support is provisioned and guaranteed
  • Audit current cyber security training and awareness amongst employees via effective social engineering exercises
  • Develop a security roadmap to scale appropriately with the company’s commercial objectives, including regulatory and compliance requirements depending on markets, locations, partners, and product iterations
  • Consider supply chain vulnerabilities: have private policies been reviewed with the right lens? Are suppliers Cyber Essentials+ compliant themselves?  
  • Policy and document preparation in the event of divestiture or exit.

Your approach to cyber security within due diligence and portfolio management could well be driving toward compliance, considerate of the right regulations, but equally may fail to provide the actionable insights required to correctly model and negotiate around a target’s risk. It may also create significant blind spots within your portfolio, only known in the event of a breach, with consequences ranging from erosion of portfolio value to brand damage and loss of LP investment. Instead, if incorporated meaningfully throughout the investment lifecycle, driving real commercial consequence, cyber security can be the secret weapon of a private equity executive and your portfolio.

If you have any questions about this blog, or would like to discuss our approach to cyber risk, please contact us at hello@secure-impact.com

Sign up to our newsletter to receive the latest updates