Cyber attacks can ruin a business’s reputation, cost it clients, customers and suppliers, and ultimately result in lost revenues and earnings. Therefore, cyber and compliance events can have a major impact on the brand and reputation of your private equity firm and the valuation of its assets.
Implemented in 2018, the EU’s General Data Protection Regulation (GDPR) provides a compliance route to improving cybersecurity standards and defences. But compliance alone may not be enough. Potential investors will usually undertake their own form of risk assessment. But what form should this take?
According to law firm White and Case, “(risk) assessments should address existing compromises, policy violations or suspicious activities, and the organisation’s overall cybersecurity capabilities.”
In their annual report they recommend several issues to consider, including:
• Is the information system architecture effectively structured?
• Are the risks well understood, and reviewed constantly as sophisticated threat actors advance?
• Are the right measures set up to detect breaches, and what is the average response time?
• What are the policies and processes for connecting with third-party vendors, and does the organisation assess the nature and degree of supply chain connectivity as a risk?
White and Case say that, “ideally, organisations would understand the cyber health of any company they want to acquire before completing a transaction. When that isn’t possible, the review should occur before post-purchase integration enables issues to spread from the portfolio company to the private equity firm or to other companies in its portfolio.”
According to a survey by Coller Capital, private equity firms’ limited partners are already thinking about the potential damage that cyber attacks can cause, with 55% of investors saying they will require their general partners to undertake cybersecurity risk assessments for their management companies, and 45% requiring the same assessments at the portfolio level.
White and Case also say that, “private equity funds are taking a risk-based approach and understand that boilerplate approaches to cyber risk are ineffective.” As they explain: “certain sectors—including healthcare, infrastructure, and transport and logistics—not only face greater disruption if they are attacked in ways that extend well beyond data loss, including the potential loss of business continuity and even the loss of life, but are exposed to higher reputational and value downside if they fall victim to breaches.”
CyNation’s CyDesk enables private equity firms to assess and manage the security risk exposure of their portfolio companies during their entire lifecycle. The platform allows private equity firms to monitor and manage the cyber security, regulatory compliance and business risks and the impact of these risks on the success and valuation of their assets on an ongoing basis.