Cyber Risk Management For Investment Portfolios: Why Private Equity Firms Should Pay Attention

The goal of any investment is to generate a positive return on that investment—so that part’s obvious. But behind every great investment is the countless hours spent performing due diligence.

It’s no secret that due diligence plays an important role in protecting a private equity firm from making a bad investment. And yet, cyber risk management is one area of the due diligence process that often doesn’t receive the attention it deserves.

Take 2018’s disastrous Starwood acquisition where Marriott International became the largest global hotel chain when it added Sheraton, Westin, St. Regis, and W Hotels to its portfolio. What seemed like a significant, industry-moving deal quickly devolved into chaos when it was discovered that one of the properties they acquired had an exposed database dating back to 2014. Through this database, bad actors had duplicated, encrypted, and erased guest’s personal data. 

And when you consider that the cost of a data breach has risen from $3.86 million to $4.24 million in 2021, the highest annual average ever reported by the firm in 17 years, it’s no surprise that understanding cyber security risks in private equity is required to protect your investments.

Businesses themselves are finding more reasons every day to invest in cyber risk management for their investment portfolios, as a strong standing ensures a healthy amount of trust amongst investors, business partners, and consumers.

Cyber Risk Management For Investment Portfolio

The Times Are a-Changin’: Here’s What We Know

Digital security has always been important, but it was never the primary driver of the private equity industry. Investors would largely look to the performance of their chosen investments instead, the actual business, it’s financial health, market risks, and other factors, which often saw cyber risks take a backseat.

But we’ve recently seen a sudden surge in private equity firms needing to know that their clients have a proper cyber risk management platform and program in place. This trend is due to several factors:

  • Approximately half of U.S. businesses have experienced a data breach, according to the 2021 Thales Data Threat Report. Any attack at all can compromise the profile of a potential client business.
  • If the problem is widespread enough, too many unaccounted cyberattacks can result in a diluted portfolio and reduced value for the firm.
  • Various government regulations like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are forcing companies to adopt cybersecurity measures as well as limiting various forms of data collection and analysis of PIIRecent trends like the Internet of Things and the rise of remote work have increased our use of digital tools and services, widening the attack surface of organizations everywhere.
  • Investors themselves are seeing the benefits of cyber security in private equity. The return on investment is often higher when you are working with managers that understand why keeping safe online is important.
  • Specific companies and industries will not do business with companies that have a poorly implemented cyber security program due to the increased risks at hand.

It’s obvious that companies have to evolve with the market if they want to succeed in modern investing. If you work in private equity, going through your portfolio of businesses and checking for cybersecurity readiness is worth your time. 

The reality is you are protecting yourself from incidents that can cause both investment and brand damage. However, you shouldn’t approach this as a one-off exercise. Instead, cyber risk management should become a baseline process that aims to reduce your exposure to risk, ensure your investments are following cyber best practices, and provide actionable insights you can use when evaluating potential investments.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Your Next Steps

Taking the right cyber security considerations for private equity can be a challenge, especially if you work with a large portfolio, but there are steps to take to incorporate this essential new aspect of business success into your investments.

Avoid Losses By Monitoring Your Portfolio

Cybersecurity has a direct impact on your return on investment as a private equity executive, so staying on top of these needs will result in an ability to:

  • Address past reductions in business value due to successful cyberattacks.
  • Avoid future losses coming from cyberattacks. For instance, not taking the right precautions to prevent data breaches could result in a penalty for the business from you.
  • Combining these two steps to produce a risk profile for each asset, effectively allowing you to stay on top of assessing cybersecurity risks for all your investments.

Remember that whenever you inject capital to grow a company, you’re usually also expanding the cyberattack threat surface as well. And different types of businesses face different kinds of threats. An eCommerce store will have an entirely different scope of risks compared to, say, a manufacturer. Make sure cybersecurity is at the forefront of your work at all times for these reasons.

Take a Holistic Approach

It can be rather inefficient to go through each of your companies individually to check for cybersecurity posturing. Instead, look for assessment and protection tools that cover all across your portfolio.

For each company, you want to look for:

  • Cyber risk assessment protocols
  • Internal vulnerability scanning
  • Training to recognize and avoid phishing
  • Incident response
  • Reporting and analytics

Establish a minimum requirement for all businesses and then add tweaks to tailor your attention to each client’s specific needs and circumstances.

Follow Up on the Trends

It’s no secret that the industry has changed in recent years in response to the rise of remote work accelerated by COVID-19. Working from home will certainly stick around thanks to the extra flexibility given to employees, but it will also change the cyber security landscape as we know it.

Employees of all sizes and industries are bringing their own devices, from smartphones and tablets, to work now. There are 10 billion active IoT devices on record in 2021. While convenient, stolen or hacked entry points are now more common than ever, especially if some of those employees have high-ranking access to sensitive business assets.

Because day-to-day activities are considerably different now, PE companies must factor in the changes as part of their portfolio analysis. How well is your client business handling security awareness in the face of a changing workplace? For instance, are there measures in place to teach employees about phishing scams? Are high-level executives aware of how to protect the vast amount of access they have?

Centraleyes makes it easy for private equity firms to stay up to date on the latest trends. We leverage the most advanced and automated risk management platform in the world, backed by a team of world class cyber risk analysts to ensure our platform uses the most accurate data available when it comes to managing cyber risk.

Don’t Forget Your Own Cybersecurity

In a research study conducted by Private Equity International (PEI), 100 international private equity organizations were asked about their cyber security postures. 7 out of 10 of them considered digital security a “high risk” to business operations, yet only 23% had an operational program for protecting themselves online.

Private equity remains a popular target for cybercrime itself since:

  • The PE firms involved have access to a lot of capital and control over third parties and are exposed to the most sensitive information on their portfolio companies 
  • When it comes to complicated deals, spoofing communication through phishing or other methods of identity theft is all too easy. Mergers and acquisitions are particularly risky.
  • The higher volume of transactions made every day means that stolen funds are easy to overlook. Fraud control is often a problem in this industry as it is.
  • A lot of private equity firms see cybersecurity protocols as an obstacle to productivity rather than a necessity.

The key points of data used by the private equity industry that are especially vulnerable include the following:

  • Client personal data: You might store your clients’ payment or personal information for internal use, but that data can easily be stolen.
  • Trade secrets: B2B communication is incredibly important in the investing space, which means that confidential business intelligence is easily a target for cyber criminals.
  • Intellectual property: For companies with high-value IP, it’s essential that you have the right security policies in place to protect it.

The takeaway here is that, while checking on the security compliance of your portfolio companies, don’t forget to check up on your own digital safety as well. 

Enhance Your Cyber Risk Assessment Capabilities With Centraleyes

Private equity firms looking to stay competitive in the digital age will need to implement solutions that allow them to better manage cyber risk across their portfolio.

The challenge is finding a unified solution that enables the easy collection of data from portfolio companies while aggregating findings into a clear, concise, and centralized view—a solution that combines cybersecurity industry data, threat data, frameworks, regulatory changes, and other industry-specific details. 

Are you looking for an intuitive, single-pane solution to manage cyber risk across your portfolio? Book your discovery call with Centraleyes today to see how private equity firms are using our robust cyber risk management platform to mitigate risk.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days