Cybercrime has become a critical issue for buyout firms as hackers are increasingly targeting sensitive business data to profit from insider knowledge. According to a Private Funds Management survey of 91 PE houses, 54% of PE firms said they had been hit with a cyberattack, while 45% said cybersecurity was a high threat to business operations. Despite this, 66% of PE firms said their cybersecurity programme was only partially implemented.
Buyout Firms Are Vulnerable
If a PE firm falls victim to a cyberattack, highly sensitive information is likely to leak. This is problematic, especially in cases of listed buyout firms where performance data will be market sensitive, or in public- to-private transactions where any leak is price sensitive. Even where entities are not listed, buyout firms hold valuable information, not only on acquisition targets and portfolio companies, but also on their investors, which may include sovereign wealth and pension funds.
In our view, cybersecurity needs to be a priority for PE firms. However, many PE firms may have a limited number of IT support staff and a small budget to fight cybercrime. In order to combat the growing threat, this will need to change.
Why Cybersecurity Matters
As PE firms build their reputations on their professionalism, cyberattacks have the potential to cause long-term damage. Security breaches damage investor relations and can harm future fundraising efforts. A significant cyberattack also has the ability to affect firm or portfolio company value. Earlier this year, Verizon reportedly cut its valuation of Yahoo by US$350 million after the late disclosure of two data breaches.
Regulators are also taking notice. The Financial Conduct Authority (FCA) published guidance in May 2017 stating that “cyber risks pose a threat to all financial services firms”, which should be “able to defend themselves effectively”. Under Europe’s upcoming General Data Protection Regulation, data controllers are required to report a breach within 72 hours if certain conditions are met. Failure to provide adequate security can lead to fines of up to 4% of a company’s annual turnover or €20 million, whichever is higher. In the UK, “material cyber incidents” must also be reported to the FCA.
What Can Buyout Firms Do?
While PE firms are often focused on cyber defence for their portfolio companies, they should also pay attention to their own cyber defences. PE firms should ensure they have a comprehensive enterprise-wide plan to deal quickly and effectively with an attack. Key stakeholders should be trained on the plan through “table top” exercises simulating cyberattack scenarios to ensure optimal response when facing an actual attack.
5 Steps to Ensure Cyber Readiness:
Adopt a Formal Cybersecurity Programme: Adopt, and continuously improve, a cybersecurity programme. Assign responsibility for cybersecurity matters and ensure senior engagement. Consider cybersecurity insurance.
Conduct a Risk Assessment: Identify what types of sensitive data are stored, where this data is stored on systems and how it is protected. Identify threats or vulnerabilities to sensitive data. Document the costs versus the benefits of additional security measures.
Develop an Incident Response Plan: Identify members of the response team and their roles. Classify the types of incidents that will trigger the plan and how these incidents will be escalated internally. Identify when external parties should be notified and how/when these notifications should be made.
Identify and Manage Third-Party Risks: Identify third parties with access to or control over systems or data. Ensure that this access is strictly limited to business need.
Train Employees: Provide regular cybersecurity training to all employees (from top management down). Test employees’ understanding through realistic simulations.
It is often said that there are two kinds of companies: those that have already suffered a data breach and those that will suffer one. PE firms must be aware of the fact that they are attractive targets, and ensure that they have adequate defences and effective incident response plans in place.