Why Cybersecurity for Private Equity Is Urgent Now – And What Funds Can Do to Move the Needle.

Private equity fund-level technology leaders can play an impactful role in protecting their portfolio companies from cyber-attacks, from due diligence through exit

By John Hauser, EY Americas Transaction Support – Cyber Due-Diligence Leader, Ernst & Young LLP

Private equity funds are struggling with a recent wave of cyber attacks affecting their portfolio companies. The FBI, private equity leaders and EY-Parthenon teams steeped in cybersecurity consulting are seeing a measured increase in cyber activity targeting PE transactions and portfolio companies, where victims are perceived to be easier targets with deep pockets to pay extortionate ransomware demands.

In addition, there is increasing legal and regulatory pressure on all varieties of portfolio companies. This pressure increases risk that an incident will have a domino effect on a company’s reputation and add to its list of post-incident damage control and recovery efforts.  For example, both the European Union and the United States have passed legislation which requires companies in critical infrastructure to timely report incidents to the government. The Securities and Exchange Commission recently passed new rules which put pressure on senior management and boards to be engaged and disclose the efforts they are taking to reduce cyber risk. Recent litigation in the US has put companies on notice that they must incorporate cybersecurity into their diligence process to ward off claims of negligence in the event of a later breach.

A single significant incident can be so disruptive that it throws off a fund’s investment plans and timetable for the company to exit the portfolio. Yet unlike corporate parents, funds are not equipped with their own cyber teams that can provide direct protection to portfolio companies. Some funds also worry that getting too involved in the portfolio company’s cybersecurity could increase risk to the fund itself.

Still, funds can play a significant and impactful role in protecting their portfolio companies, even short of taking over portfolio companies’ cyber programs.  PE fund-level technology leaders can build a more comprehensive cybersecurity strategy throughout the portfolio company ownership lifecycle, from due diligence and acquisition through exit.

Here are some of the ways that funds can be helpful:

Stay focused on portfolio company cybersecurity throughout the ownership lifecycle

• Funds that use cyber due diligence as an early indicator of potential problems can protect themselves from claims of negligence and will gain an advantage over funds that don’t.
• Funds can continue to emphasize cybersecurity during portfolio company onboarding, when cyber outcomes should be included as part of the strategic plan settled upon by senior leadership.
• A program during the value creation period that tracks deficiencies in portfolio company cybersecurity and escalates the response will help all parties stay ahead of risk instead of waiting for an incident to be the first indicator of trouble.
• A view of what cybersecurity success looks like prior to exit readiness will leave funds and portfolio companies in a much better position to preserve value and not make cyber a significant concern for a future buyer.

Leverage purchasing power to drive efficiencies 

Without replacing portfolio company procurement, funds can establish “preferred partner” programs, with reputable security vendors driving vendors to reduce prices and allowing portfolio companies to enjoy discounted services. Funds can also vet security vendors to confirm that portfolio companies are using industry-leading providers. Meanwhile, vendors receive the benefit of being a trusted name in the portfolio and a streamlined channel to market.

Collect data on portfolio company cybersecurity programs in order to realize synergies

Recognizing its unique position of having an overview of all portfolio companies lets the fund drive extra cybersecurity value. For example, funds which can identify common pain points among different portfolio companies can bring in expertise to help reduce risk at scale.

Play a valuable role in enabling effective leadership.

Funds typically have one representative on the portfolio company board. That board member can drive greater accountability and focus on cybersecurity. In addition, funds can often influence the high-level leadership at the portfolio company so that the right talent is driving results. This oversight allows the fund to play its traditional role of high-level governance, while also making it clear that better cyber outcomes are expected.

The need to improve cybersecurity goes beyond the potential financial and reputational risks of a successful attack. Portfolio companies with lax cybersecurity also run the risk of being left out of competition for government contracts and private sector business.

The strategies above, however, can represent a groundbreaking shift for private equity’s ability to mitigate the risk of a growing threat.

About the Author

John Hauser is the EY Americas Transaction Support – Cyber Due-Diligence Leader. John’s career comprises nearly 20 years of public service and private sector experience. At EY US, he heads innovative, market-leading cyber due-diligence practices, which help clients navigate the heightened technology and legal cyber risks posed by transactions.

Prior to joining EY US, John worked as a Special Agent with the FBI and as an Assistant United States Attorney. He has extensive experience investigating and prosecuting complex, high-profile cases, including international cybercrime rings and nation-state hackers who stole trade secrets from US corporations.

John can be reached online on at ey.com.

The views expressed are those of the author and do not necessarily represent the views of Ernst & Young LLP or any other member firm of the global EY organization.