Cybersecurity professionals John Nugent, Vice President at Apax and Paul Harragan, Associate Partner at EY-Parthenon, explore how PE can manage cybersecurity risk and why it should be viewed as a value creation lever rather than a cost.
Contact Paul Harragan:
[email protected]
Cyberattacks happen constantly, and companies display a wide range of preparedness. Private equity (PE), like any other industry, is not immune from this growing threat. 1H2021 saw increase in ransomware attacks in PE portfolio companies, which is especially troublesome for an industry that has traditionally taken a less rigorous approach to information security and cyber defense. PE has, however, begun to embrace the necessary investments needed to understand their intrinsic risk, prepare for the inevitable breach and respond quickly.
While it is inherently difficult to gauge or predict the monetary cost of a breach, PE must consider that a breach can degrade an asset’s sale price or, in rare cases, be a “dealbreaker” altogether. In addition to potential impact on transactions, skyrocketing insurance costs render the cost of negligence far greater than the cost of investing in a comprehensive cybersecurity strategy.
Cybersecurity due diligence is increasingly becoming industry standard and should focus on past, present and future. For PE, future risk is an especially critical consideration since capital deployment can dramatically change the threat landscape of an asset.
Five gold standard cybersecurity practices for PE include:
Understand your threat landscape Identify what a hacker would find valuable and attractive about your company Identify critical business functions and adopt procedures to monitor, defend and preserve functionality in the event of an attack Inform security leadership of the technology strategy and broader business plan so they can anticipate changes to the attack surface Understand how new technology can generate new attack vectors and impact your threat landscape