With cyber threats and techniques continually evolving, the likelihood an organization small or large will experience a breach has increased significantly. In particular, the rise of ransomware-as-a-service means that huge numbers of unskilled attackers can monetize attacks on smaller organizations.
Indeed, smaller organizations have become the primary target for attacks due to having a reputation of poor cyber hygiene and attracting less media and law enforcement attention for hackers. A recent study found that 82% of ransomware attacks target organizations with fewer than 1,000 employees.
It has become imperative that PE firms institute a “next level” of portfolio oversight: oversight that is formal, programmatic, and grows valuations. These more far-reaching cybersecurity portfolio oversight programs will meet increased investor expectations on cyber as well as safeguard and grow the valuation of investments.
In our experience, we regularly run into the same myths or misconceptions about the role of, and barriers to, building out a programmatic portfolio oversight capability.
In this series, we debunk some of the most common myths, providing your firm with the first step towards generating the necessary buy-in and funding for oversight. You can read other myths in our series here:
- Myth #1: Intervention in portfolio companies (“PortCos”) cyber programs is too burdensome on the PortCo.
- Myth #2: Our firm already has a pretty good idea which PortCos need careful examination and/or assistance with cyber.
Myth #3: Investors don’t care and/or are satisfied with our current approach to cybersecurity.
In the coming years, it is expected that cyber, similar to ESG, will continue to increase as a key factor in LPs’ investment decisions. Recognizing the high cost of data breaches, more and more LPs are focusing on the cybersecurity practices at the portfolio level to ensure the security of their investments. LPs are demanding more reporting on cybersecurity metrics; according to a recent survey 55% expect consistent reporting across the portfolio. LPs are also asking more detailed questions regarding the controls that PortCos have in place.
While LPs have concerns about cyber, they may not have the expertise to evaluate whether cyber oversight is adequate. Detailed, technical reports and bespoke efforts for individual PortCos might make sense to a security expert but are unlikely to assuage investor concerns. One of the drivers for a programmatic approach to cybersecurity oversight is to be able to provide a simple, confidence-inspiring picture of cyber protections across the portfolio. Some of the keys to success here are: a consistent approach across PortCos, measures and benchmarks that are comparable across companies, and formal governance of oversight efforts.
Beyond meeting the needs of existing investors, these more advanced approaches to cyber oversight can provide firms a key competitive advantage in the market to attract new investors. This is especially valuable as firms find it harder to attract and retain investors in the current economic environment.
This myth is just one of several outlined in our latest white paper “4 Myths About Cybersecurity Portfolio Oversight.” Download here to learn more about the common myths that stand in the way of firms adopting programmatic oversight. We also offer a framework for organizations to begin evolving their approach, enabling them to avoid value destruction, better compete for capital, and increase valuations.
55% of surveyed LPs state cybersecurity risk assessments at PortCos will be a ‘must have’ within the next few years.
— Coller Capital Global Private Equity Barometer Winter 2021-2022
For several years PE firms have been dipping a toe in the water of cybersecurity portfolio oversight. In addition to the basic practice of pre-acquisition cyber due diligence, initial efforts taken by PE firms include bringing in outside consultants and vendors to PortCos with known cyber challenges and instituting minimum expectations for cybersecurity controls across the portfolio. Indeed, in 2022, 60% of firms polled by ACA reported to be actively engaging in some level of cyber oversight.
However, as recently reported in the Wall Street Journal, this initial level of oversight is no longer sufficient to protect investments from cyber threats or reassure investors. Instead, it has become imperative that PE firms institute a programmatic approach to portfolio oversight: oversight that is formally governed, applied consistently, and grows valuations. Programmatic cybersecurity portfolio oversight will meet increased investor expectations for cyber as well as safeguard and grow the valuation of investments.
Despite this pressure on PE firms, evolving cyber portfolio oversight to a programmatic approach is challenging. Most firms lack the cyber expertise, funding, buy-in, and/or understanding of what an oversight program should look like.