The risk of a security incident can no longer be downplayed or ignored when assessing value and returns on investments.
Data compromise and information security breaches affect all companies, no matter their size, industry or location. Private equity organisations should factor in the risk of an incident and its subsequent financial cost to any assessment for investment; until this is known, their portfolio is exposed to a potentially undefined liability with unknown costs.
Some data and security breaches have significantly affected a company’s revenue, earnings and overall value. For example, following the disclosure of two large data breaches in 2013 and 2014, the search engine Yahoo was forced to reduce its sales price from $4.83 billion to $4.48 billion in its takeover by Verizon Communications.
The deal process exposes all parties to the highest risk of compromise as financially sensitive information is exchanged.
Private equity organisations’ cyber security is vulnerable in three key areas: their own organisation, their deals and the post-deal management of their portfolio companies.
Private equity houses can find themselves the target of cyber-attacks, often being fairly small organisations managing large amounts of money. However, it is the deal process that exposes all parties to the highest risk of compromise, since financially sensitive information is exchanged back and forth.
Post-deal, managing a portfolio company’s cyber security mainly depends on their industry and existing infrastructure. Integrating technology after a merger or acquisition is advisable, in order to avoid weak points between different companies’ systems.
The consequences of a breach affects different parties in several ways. Private equity houses can suffer reputational damage and, as a regulated entity, also have to contend with enforcement actions. Portfolio companies can also find their reputation and brand affected, in addition to mitigation costs. At worst, a breach can reduce the portfolio company’s value on exit, or even trigger a deal’s failure.
What should investors look for?
Investors should be wary if a potential portfolio company claims that it has no cyber risks.
Investors should be wary if a potential portfolio company claims that it has no cyber risks, or is completely secure. A company with mature security risk management will respond by explaining its risks, how it mitigate them and, most importantly, how it detects and responds to a data or security incident, since this correlates directly to its cost.
Before investing, seek satisfactory answers to the following questions:
1) What are the data and information security risks in the company, and how are they identified and managed?
2) Who is responsible for data and information security in the company? Do they have sufficient authority and know-how to execute their duties?
3) How does the company detect and respond to security incidents?
4) What is the projected cost of a data or security breach to the company?
5) Does the company have sufficient procedural, technical and financial controls in place to minimise the impact of a data or security incident?
Many private equity firms have found themselves in a difficult position with outdated systems that cannot delete client data.
A thorough assessment is critical to understanding the exposure a company has. An agreed and funded mitigation plan must then be in place. Operational and reputational risks can put investments at risk if the company affected is part of a private equity portfolio. Private equity companies should ensure that the companies they invest in observe good cyber safety practices as well as complying with other industry standards.
Recent regulatory changes, such as the General Data Protection Regulation (GDPR), will also affect companies that process data belonging to EU citizens. Not only do EU-based companies have to comply with GDPR, but non-EU firms with EU-based clients also have to observe the new data regulations. (GDPR require all businesses to properly manage their third-party data, with fines of €20 million or up to 4% of annual revenue for non-compliance.)
Companies are also required report any hacks or data breaches within 72 hours, and also to delete data that does not serve a purpose. Many private equity firms have found themselves in a difficult position with outdated systems that cannot delete client data, therefore putting them at risk of non-compliance under GDPR.
Cyber and data risks continue to evolve, and as they do, the private equity sector needs to assess and mitigate them. A thorough approach to cyber security is fast becoming an essential part of any profitable portfolio, and any successful business.