Skip to content

Why PE/VC General Partners Have Growing Concerns Around Cybersecurity and What They Can Do About It

C

yber crime has skyrocketed in recent years and several corporate giants have endured catastrophic breach events.  Cyber attacks targeting behemoths like Target, Home Depot and Talk Talk have triggered a contagion effect that impacts organizations spanning all industries, regardless of scope, 

Authors: Greg Tomchick, Partner, C|CISO; Jeff White, Chief Security Officer, CMMC-RP 

Many small and mid-sized financial firms (wrongly) consider themselves too small to be of interest to cyber criminals and choose to ignore the threat, leaving them open to attack. 

Private equity firms are particularly vulnerable as most operate with small cybersecurity budgets and limited IT staff.  However, recent news headlines have emphasized the real risk that all firms face.  It is not surprising, therefore, that the whole financial industry is coming under increased pressure from governing authorities to do something concrete about it, especially with the Russia-Ukraine developments, crypto-currency surges and investment at an all time high.  

Regulatory associations – among them the US Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE), the Financial Industry Regulatory Authority (FINRA) and the UK’s Financial Conduct Authority (FCA) – have already delivered detailed reports exposing how unprepared and ill equipped firms currently are to defend against threats.

In these reports, the authorities have also set out their expectations on the benchmarks, measures and procedures that firms need to implement in order to identify, prevent and respond to possible future attacks.  As regulatory associations work to fully define and outline these expectations, it is essential that firms gain an understanding of governance analysis to better prepare themselves for the continuous program and posture evaluation and audits that lie ahead to demonstrate their efficacy.  

As a leading cybersecurity advisor in the Private Equity and Venture Capital industry, Valorr is continuously aligns with the regulatory associations driving change and remains committed to delivering essential services to help firms in the sector stay ahead of governance requirements.  

As we continue to work with our partners to protect their businesses from cyber threats, we notice three main trends: 

  1. The absence of current cybersecurity programs.
  2. Unmonitored and unsecure data environments, applications and devices.
  3. Lack of the requisite expertise among staff to develop effective cybersecurity protocols

There Is A Shift Taking Place

In the private equity (PE) space, cyber risk and threat awareness among General Partners (GPs) is on the rise.  A strong driver of this shift is Limited Partners (LPs), who want a better understanding of how firms are securing their own environments and also how firms are addressing cyber risks with their portfolio companies. 

In November 2021, the Institutional Limited Partners Association (ILPA), a global organization dedicated to supporting the interests of limited partners, issued a new standardized due diligence questionnaire (DDQ) with added cybersecurity components. 

According to the ILPA website, the purpose of the revised DDQ is “to standardize the key areas of inquiry posed by investors during their diligence of managers.”  A primary area of concern is PE firms’ cybersecurity policies and procedures. 

Such due diligence is crucial in the PE space.  

“Private equity firms that fail to do cybersecurity due diligence on their portfolio companies are at a significant disadvantage, both from a compliance and competitive standpoint.”

How could General Partners be better prepared?

The best approach for managing cyber risk is to develop an informed perspective by way of a streamlined and manageable process that treats cyber risk as equally as other types of risk, for example market risk, counterparty risk and legal risk. 

Formal practices for managing cyber risk should align with other risk management approaches that are in place, where cyber risk is treated as just another risk. The SEC has encouraged developing a “reasonably” designed approach to managing cyber risk, such as one that reflects the following characteristics: 

Informed – supports and promotes an awareness of today’s cyber risks, including regulatory and legal considerations 

Manageable – risk evaluation, if performed in a manner that is manageable, does not overwhelm the business and does not negatively impact day-to-day operations.

Digestible – reporting “in plain English” is generated that can easily be consumed by a firms’ risk leads, including COOs, deal teams and boards of directors 

Actionable – reporting is clear and includes reasonable next steps to address key identified cyber risks 

Should a PE firm or one of its portfolio companies be impacted by a serious cybersecurity event, the reputation of the firm among investors, regulators and other stakeholders may be on the line. 

We advise that you take the following actions: 

  • Establish an Information Security Policy: Outlining how the organizations plans to and is currently addressing cyber and IT related risks.  
  • Secure your email service and other critical services: Ensure that your critical communication and productivity services are configured properly and tested.  Your business depends heavily on real-time data and system access, when crisis hits these relationships will propel you through.  
  • Document an Incident Response Plan: Ensure your organization and its leaders know how you will respond to a cyber incident or IT disruption, this proactive planning will literally save you millions.  
  • Back up your data: Back up your data within resilient infrastructure and test those back ups frequently.  Not all backup and data storage facilities/services are created equal! 

As cyber threats continue to proliferate, anticipating and managing them at all organizational levels will remain vital during 2022 and beyond.  As recent events have proved, PE firms are vulnerable on a variety of fronts, from their vendors and third-party suppliers to their portfolio companies.  Taking steps now to ensure proactive protections and risk management practices can help reduce these risk and help ensure that portfolio companies generate profits—not headaches—for PE firms. 

The Valorr Team looks forward to providing continual insights relevant to your industry.  For other tips and tricks in staying cyber informed, please visit our additional Valorr Insights at Insights – Valorr | Cyber Risk Management (valorradvisors.com)