23 November 2017
Michael Corcione

Michael Corcione

Michael Corcione - Cordium

4Posts 15,818Views 0Comments

Getting to grips with cyber risk in private equity portfolios

13 November 2017  |  1940 views  |  0

Private equity firms may be aware of the growing number of cybersecurity and data protection regulations for financial services organizations – but how knowledgeable are they about the cyber risks that lurk within the diverse range of companies in their portfolios?

Cyber breaches, and data security violations, can have a very real impact on the value of a corporate holding. For example, search engine Yahoo was forced to reduce the sales price of its email and digital services to Verizon Communications from $4.83 billion to $4.48 billion as a result of two large cyber breaches in 2013 and 2014. Since the breach, dozens of lawsuits have been filed, and Yahoo is under investigation by regulators. The company recently announced that up to three billion people could have had their personal information compromised.

Cyber risk – and organizations’ exposure to it – is increasing. Over the past few weeks, a number of high-profile organizations across a range of industries have disclosed that they have been subject to a cyber breach, and that data – personal and corporate – has been compromised. These include:

  • Deloitte – announced at the end of September, details of the consulting firm’s key corporate clients may have been accessed
  • Equifax – accounts of 145.5 million customers may have been accessed by hackers, including sensitive non-public information. The breach was disclosed in early September.
  • Bupa – in July, the health insurance company announced that an employee had copied and taken away data connected to 547,000 international health insurance plan customers.

Many of these cybersecurity incidents – such as the Equifax breach – are potentially the result of organizations not having the efficient and effective policies, procedures, and controls in place to help prevent a cyberattack turning into an actual loss event. Operational risk – as well as the associated reputational risk – is transformed into an investment risk if the company that has a cyber breach or data protection incident happens to be owned by a private equity firm.

To protect revenue and preserve the value of their investment portfolio, it makes sense for private equity firms to ensure that the companies they have stakes in are not only compliant with industry rules, but are also applying good practices to properly manage the cyber risks and data protection threats they face. The cybersecurity and data protection space is evolving very rapidly around the world. In the US, New York State has new cyber regulations for financial services firms, and other individual states are putting in place a range of new rules of their own. The federal government has a large cybersecurity program that will, very quickly, translate into new rules and practices across industries. In the EU, the General Data Protection Regulation (GDPR) comes into force in May 2018, and it has extraterritorial impacts for firms that engage with EU-based clients. The EU is also kicking off a range of cyber risk initiatives that will also, ultimately, translate into new rules. On September 25, 2017, the Securities and Exchange Commission announced and new enforcement “Cyber Unit” dedicated to cyber violations.

Cybersecurity and data protection are fast-moving areas – it’s important to ensure organizations have implemented the most recent requirements and best practices for their industry. A potential portfolio company – whether being acquired outright or as part of a merger or acquisition process – should have its cybersecurity and data protection policies, procedures and controls evaluated as part of the due diligence process. Existing portfolio companies, after an initial review, should also be assessed and evaluated every year, with policies and procedures updated.

Even if private equity firms are already doing this – and many are not – they can often struggle to then bring information about cyber risks from their disparate types of holdings together into one reporting framework, where risks, controls, and other indicators can be compared on an apples-to-apples basis. It can be difficult for private equity executives to accurately assess frameworks, policies, implementation, and approaches without having some kind of a unifying approach. Bringing this kind of methodology to cyber risk assessment across a whole portfolio of companies can bring significant benefits, including being able to understand the cyber risk of individual holdings relative to each other. Private equity firms can also learn about best practices at the companies they hold, and share those practices across their portfolio.

In short, private equity firms need to ensure they have the capabilities to fully assess and manage cyber risks within their portfolio companies – to be able to do this could make the difference between a successful investment and one which suffers in value because of reputational risk, legal risk, and regulatory sanctions. 

 

Comments: (0)

Comment on this story (membership required)

Latest posts from Michael

Cyber attack response - What do you do?

15 November 2017  |  3021 views  |  0 comments | recomends Recommends 0

Getting to grips with cyber risk in private equity portfolios

13 November 2017  |  1940 views  |  0 comments | recomends Recommends 0

Cybersecurity: Getting the basics right

03 October 2017  |  6669 views  |  0 comments | recomends Recommends 0 TagsSecurityRisk & regulation

General Data Protection Regulation for Fund Managers: time to act

24 July 2017  |  4189 views  |  0 comments | recomends Recommends 0 TagsRisk & regulation

Michael's profile

job title Managing Director, Cybersecurity & Data Protection
location London
member since 2017
Summary profile See full profile »

Michael's expertise

Member since 2017
0 posts0 comments
What Michael reads
Michael writes about
SecurityRisk & regulation

Who's commenting on Michael's posts