Developing a Programmatic Approach to Cybersecurity Oversight
How PE Firms Can Better Manage Cybersecurity Across Their Portfolios
By Jeremy Bergsman and Taylor Broshar, ACA Group*
April 25, 2023
Note: Portions of this article were previously published.
With cyber threats and techniques continually evolving, the likelihood that an organization – small or large – will experience a breach has increased significantly. In particular, the rise of ransomware-as-a-service means that huge numbers of unskilled attackers can monetize attacks on smaller organizations.
Indeed, smaller organizations have become the primary target for attacks due to having a reputation of poor cyber hygiene and attracting less media and law enforcement attention for hackers. A recent study found that 82% of ransomware attacks target organizations with fewer than 1,000 employees.
In private equity, not only do breaches result in financial and operational losses to the targeted portfolio company (Portco), but equally to the sponsors and investors. A watershed moment for recognition of cyber risk to Portcos was the 2021 ransomware attack that shut down privately held Colonial Pipeline Company. The attack resulted in millions of dollars in losses to Colonial Pipeline Company. Widespread impact to pipeline customers also resulted in severe reputational risk to Colonial Pipeline and its owners.
Breaches, culminating in Colonial Pipeline, have focused private equity management on the cyber risk in their portfolios. At the same time, limited partners (LPs) have become focused on cybersecurity practices at the fund level to ensure the security of their investments, putting more of an onus on PE firms to act.
The Current Approach to Cybersecurity Oversight
For several years, PE firms have been dipping a toe in the water of cybersecurity oversight. In addition to the basic practice of pre-acquisition due diligence on cybersecurity, initial efforts taken by PE firms include bringing in outside consultants and vendors to Portcos with known cyber challenges and instituting minimum expectations for cybersecurity controls within the portfolio. Indeed, in 2022, 60% of firms polled by ACA reported to be actively engaging in some level of cyber oversight. However, the approach that firms are taking to cybersecurity oversight is frequently ad hoc for the companies in their portfolio, with more than 50% of surveyed PE firms taking this approach.
This ad hoc approach focuses on managing the significant risks that a cybersecurity incident would create, focusing on a subset of the portfolio that is usually considered the highest risk or the segments of the portfolio that are unable to manage cybersecurity risks themselves. To achieve this goal, firms using an ad hoc approach will typically provide a subset of their portfolio with basic cybersecurity controls that should be implemented, and periodically assess these companies against those policies.
Limitations of an Ad Hoc Approach to Portfolio Oversight
While an ad hoc approach may be a logical starting place for managing cybersecurity risk throughout a portfolio, there are several limitations of this approach that create meaningful risks for PE firms, the companies in their portfolio, and investors. These limitations include:
- Missing Opportunities for Value Creation – An ad hoc approach to managing cybersecurity risks will place its focus on managing the most significant downside risks associated with cyber incidents. However, this ignores potential value creation opportunities, like improving valuations and retaining investors, that often come with a PE firm being able to demonstrate the strength of its cybersecurity controls and its resiliency throughout the portfolio.
- Static Response to Cyber Threats – The basic controls that an ad hoc approach implements to manage cybersecurity are insufficient to deal with active attackers, who are experienced at finding and exploiting gaps in cybersecurity defenses. In a world of constantly evolving cybersecurity threats, and the proliferation of low-skill hacking and ransomware kits that will make cyberattacks easier to launch, firms need more than point-in-time defenses.
- Limited Scope of Protection – Ad hoc approaches to cybersecurity fail to cover the entire portfolio, leaving the firm and investors exposed to unnecessary cybersecurity risks. While focusing cybersecurity efforts on the portions of the portfolio that are the highest risk may have been justifiable in the past, with cybercriminals actively targeting smaller companies it is no longer a stance that investors and limited partners should accept.
This ad hoc approach to oversight leaves PE firms, their investors, and the companies in their portfolios at risk for significant costs – financial, reputational, opportunity costs, etc. – and it is no longer a justifiable approach for firms to take.
A Path Forward: Building a Programmatic Approach to Cybersecurity Oversight
As cybersecurity threats continue to evolve and spread, it has become imperative that PE firms institute a programmatic approach to portfolio oversight: oversight that is formally governed, applied consistently, and grows valuations.
Programmatic cybersecurity portfolio oversight will meet increased investor expectations on cyber as well as safeguard and grow the valuation of investments.
However, despite this pressure on PE firms, evolving cyber portfolio oversight to a programmatic approach is challenging. Most firms lack the cyber expertise, funding, buy-in, and/or understanding of what an oversight program should look like. ACA has helped more than 100 PE, venture capital, and hedge funds improve cybersecurity oversight of their investments. Based on our learnings from those interactions, here we provide a path forward by rebutting common myths that stand in the way of firms’ adopting programmatic oversight. We then offer a framework for organizations to begin evolving their approach, enabling them to avoid value destruction, better compete for capital, and increase valuations.
What Is Cybersecurity Portfolio Oversight?
What do we mean by cybersecurity portfolio oversight? While capital is invested, a PE, VC, or hedge fund has a fiduciary responsibility to oversee risks to that investment. Depending on its investment thesis, it likely will also be overseeing and facilitating progress against a value-creation plan. These oversight activities have not always formally included overseeing cybersecurity. However, over the past few years the industry has come to understand that cyberattacks pose an existential risk to smaller companies, and possibly to the PE firm.
Hence cybersecurity oversight has become imperative to avoid value destruction from cyberattacks.
The past couple of years have seen a sea change in the industry, with leaders recognizing opportunities for more than just downside risk management in their cybersecurity oversight.
- Opportunity #1: Value Creation – The first opportunity is in value creation. While it’s understood that a poor showing in cyber diligence can negatively affect valuation, it’s less often considered that a documented track record of well-managed, audited cybersecurity efforts can improve a valuation and may even short circuit cyber diligence.
- Opportunity #2: Attracting Capital – The second opportunity is in attracting capital from LPs. LPs are increasingly looking for effective cybersecurity oversight to be in place. Meanwhile, according to PitchBook, fundraising has been trending down for two quarters and LPs are getting choosier with their investments. In this context, a programmatic approach to oversight that is designed for improved investor relations can pay for itself solely by converting or retaining one or two large investors.
ACA’s Approach to Portfolio Oversight
ACA Aponix has identified 13 elements of programmatic cyber oversight, which are detailed below. This approach to portfolio oversight draws on more than four years of experience working alongside more than 100 private equity sponsors to help stand up cyber oversight programs, as well as working with their Portcos directly. While there is no one-size-fits-all solution to oversight, these 13 elements are shared features that should be present in any cyber oversight program. By adopting these elements, PE firms can avoid value destruction, meet investor expectations, and increase valuations of their portfolio, while still retaining the flexibility to customize the oversight program to align with the investment strategy.
Cyber Risk Management
Identify, measure, and report on cyber risks in portfolios, and ensure that Portcos are properly remediating risks.
- Security Baseline: There is an established minimum cybersecurity baseline and expectations for cyber insurance for all Portcos.
- Risk Framework: A defined risk framework is used to monitor, manage, communicate, and set expectations for cybersecurity risk.
- Risk Assessment: Mechanisms are in place to maintain a robust understanding of the cybersecurity risk at each Portco and the action steps needed to improve their cybersecurity posture.
- Change Readiness: Capabilities are in place to quickly assess the impact of new threats and vulnerabilities on each Portco and to recommend portfolio-wide action steps.
Move cyber oversight from a cost center to a support for value creation efforts.
- Improving Valuations: The program creates and documents a track record of success, and otherwise meets diligence expectations, in a way calculated to improve valuation at exit.
- Leadership Support: The connection between cyber and portfolio valuation is socialized with managing partners and the board to ensure ongoing support for cybersecurity oversight activities.
- Portco Support: Data, insights, benchmarks, and other resources are shared with Portcos to help them right-size their cybersecurity investments.
- Economies of Scale: Economies of scale are leveraged to acquire cybersecurity services and share cybersecurity resources across the portfolio.
Cyber Oversight Governance
Ensure that cybersecurity oversight delivers results that satisfy investors while not being overly burdensome on Portcos or your firm.
- Accountability: There are designated role(s) empowered and accountable for portfolio cyber oversight.
- LP Relations: Mechanisms are in place to gather the desires and expectations of limited partners/investor community around cybersecurity oversight.
- Reporting: There are established processes for reporting on Portcos’ cybersecurity to managing partners, the board, investors, regulators, and other stakeholders.
- Rightsized Oversight: The level of oversight intensity is based on investment level, inherent risk, and lifecycle of Portcos.
- Integrated Oversight: Cyber oversight is integrated into broader oversight and value-creation activities (financial, ESG, etc.).
*Jeremy Bergsman, Ph.D. leads ACA’s Thought Leadership team, ensuring clients receive the latest and most critical information they need to manage risk and ESG responsibilities. Jeremy also leads New Product Development, ensuring that ACA’s products continuously evolve to meet client needs. Jeremy may be reached at Jeremy.Bergsman@acaglobal.com. Taylor Broshar is a Senior Research Analyst with ACA Aponix where she helps lead the team’s thought leadership initiative on the intersection of cybersecurity and the financial services sector. Taylor may be reached at Taylor.Broshar@acaglobal.com. For additional information, please see https://www.acaglobal.com/our-solutions/cybersecurity-privacy-risk.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect those of the IAA. This article is for general information purposes and is not intended to be and should not be taken as legal or other advice.