This year, the adoption of new technologies by both consumers and businesses has accelerated rapidly, driven by the COVID-19 pandemic.
Private equity has been driven to a great extent by Digitisation and is at the forefront of value creation now more than ever. While this carries huge benefits, it also exposes ever more corporate value to malicious cyber activity. As per my previous article, private equity has traditionally taken a less rigorous approach to cybersecurity than other industries— but this is starting to change.
Having worked on more than 150 private equity transactions in the past few years, and at first, it was only the more forward-thinking General Partners, now we see about 80% of large cap managers, and almost half of mid-market managers mandating cyber diligence routinely. It’s not all demand pull: insurance underwriters are increasingly requiring it too. In reality, any old risk assessment will tick a cybersecurity box, but if it’s worth doing, it’s worth doing well.
With rising cybersecurity challenges that many portfolio companies face as we continue to operate more and more virtually amidst a pandemic, the unique approach that we take gets to the core of four key areas:
1. It uses the investment thesis as the primary risk metric
A boiler plate risk assessment, regardless of industry, geography or size, is still very much the norm. You might think it obvious that any analysis would ideally be company specific, but our approach goes further than that: the goal is to protect and create shareholder value. So, the correct lens to use is the investment thesis itself.
2. It applies a sharp focus that garners board-level attention
Most cyber risk isn't about numbers, but people. The only way to effectively manage cyber risk is to address it at board level. That is not going to happen without addressing the board through the right lens of their corporate culture and outcomes aligned to their corporate strategy.
3. It looks at the future threat landscape
Most cyber diligence only tells you where you are now: what are your weaknesses and where should you tighten up. In a world of 100-day plans and proactive operational change, such an analysis rapidly changes. By using the deal thesis as the starting point, we automatically consider the evolving threat landscape of the business, during the whole investment period and beyond.
This is partly a mindset and partly process: if you are only conducting an exercise on the way and the way out, or annually, then your ability to truly encompass evolving risks in this fast-paced cyber warfare is greatly diminished.
4. It stays with the asset for real-time risk mitigation
Our approach stays with an asset throughout its investment life to ensure its value is not eroded by security incidents, and if such incidents occur, that they are robustly handled. The risk of a buyer chipping at the EBITDA margin on the way out is too high a cost. Therefore, providing good evidence of first-rate and routine cyber hygiene can add or protect that investment value.
Today, the majority of my phone calls are still reactive. But private equity and their portfolio companies are heading in the right direction: towards proactive, holistic, real-time risk management of cyber risk that applies a focused lens to their approach.
