Reflecting on cyber security as a risk in private equity: Three actions to improve

Authors: Paul Darwin and Sara de la Torre

“Why does cyber security matter in Private Equity now, and why is it increasingly more relevant?”

That was the question we asked to kick-off our recent Private Equity (PE) cyber security roundtable event where we were joined by leading technologists, lawyers, data privacy experts and a number of senior stakeholders from PE.

We’d invited them to hear from our industry experts:

• Lesley Kipling - Microsoft, Chief Cyber Security Advisor for EMEA
• Rhiannon Webster – Ashurst LLP, Partner & Head of UK Data Privacy and Cyber Security Practice
• Thomas Nielsen - Mayfair Capital & Nordic Capital, Senior Advisor
• Stephen Bailey - NCC Group, Data Privacy, Cyber Security and Private Equity Subject Matter Expert

We all agreed that cyber security isn’t always the number one agenda item for dealmakers. But with 80% of firms experiencing attacks in the past 12 months, it needs to be taken more seriously, and quickly.

There is also consensus that cyber security has always been a risk and investors must look at how management treats cyber security and ensure they recommend influence, guide and add value on an ongoing basis.

This role is fundamental when translating an optimal assessment of ‘cyber risk’ into ‘value creation’ with meaningful insights, approaches and often the support of independent cyber practitioners.

So, what can PE houses and their portfolios do to improve their cyber security?

1. Education and collaboration

Collaboration across companies’ CTOs, CIOs, CISOs, etc is often facilitated by the Private Equity houses, particularly at a technical level. Yet the cyber awareness exercise for executive boards is far more challenging and it’s not about implementing a particular technology, it’s first and foremost about educating people and building awareness. There was agreement on the fact that training needs to be tailored and ongoing. By doing so, the agility and quality of response when an attack happens is far more effective.

Education on supply chain or ‘third party risk’ was specifically mentioned as companies and Private Equity Firms evolve in their digital transformation, regardless of regulatory frameworks.

2. Focus on data due diligence and governance

From a legal and data privacy perspective, one of our legal attendees highlighted that they explore data at both the due diligence stage and the data breach point. Organisations vary significantly on the level of due diligence that they do and often do not pay much attention to the policies and procedures where they exist.

Interestingly, in the event of a breach, an external investigation will include looking at what policies and procedures are in place so it’s important to ensure they exist and are being followed. In the context of data litigation, the landscape is rapidly increasing in the UK as a result of the growing volumes of data. As soon as there is a data breach, disputes may arise within the day of the breach.

All participants recognised the growing challenge that increasing volumes of data represent and ultimately, the fundamental issue comes down to poor data governance – ahead of the implementation of any technologies. Machine Learning was perceived by some participants as the only solution to handle the data challenge. Yet the effective use of Machine Learning approaches also relies on effective understanding of data lineage and governance.

Where there is a data risk there is a cyber risk and therefore the data problem increasingly impacts on cyber risk – particularly as we all evolve on digitalisation across all businesses.

3. Be proactive

Early engagement with specialised cyber firms and technologists and lawyers is perceived as important but it needs to be done in the right way. Many businesses assume that their current cyber insurance policy supports in the event of attack and yet they often realise that when they need an immediate incident response service, this is not in place – hence increasing the impact of the attack and raising the cost of addressing it. Again, advising on the need to have the right incident response coverage in place is also a value add that the Private Equity firm can do and it’s something that is strongly recommended.

As the threat landscape continues to evolve, many agreed that now is the optimal time to re-evaluate their cyber strategy to ensure their business and their future investments are “fit for purpose” in a still incredibly disruptive and unprecedented economic time.