Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories »
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Getting to grips with cyber risk in private equity portfolios

Private equity firms may be aware of the growing number of cybersecurity and data protection regulations for financial services organizations – but how knowledgeable are they about the cyber risks that lurk within the diverse range of companies in their portfolios?

Cyber breaches, and data security violations, can have a very real impact on the value of a corporate holding. For example, search engine Yahoo was forced to reduce the sales price of its email and digital services to Verizon Communications from $4.83 billion to $4.48 billion as a result of two large cyber breaches in 2013 and 2014. Since the breach, dozens of lawsuits have been filed, and Yahoo is under investigation by regulators. The company recently announced that up to three billion people could have had their personal information compromised.

Cyber risk – and organizations’ exposure to it – is increasing. Over the past few weeks, a number of high-profile organizations across a range of industries have disclosed that they have been subject to a cyber breach, and that data – personal and corporate – has been compromised. These include:

  • Deloitte – announced at the end of September, details of the consulting firm’s key corporate clients may have been accessed
  • Equifax – accounts of 145.5 million customers may have been accessed by hackers, including sensitive non-public information. The breach was disclosed in early September.
  • Bupa – in July, the health insurance company announced that an employee had copied and taken away data connected to 547,000 international health insurance plan customers.

Many of these cybersecurity incidents – such as the Equifax breach – are potentially the result of organizations not having the efficient and effective policies, procedures, and controls in place to help prevent a cyberattack turning into an actual loss event. Operational risk – as well as the associated reputational risk – is transformed into an investment risk if the company that has a cyber breach or data protection incident happens to be owned by a private equity firm.

To protect revenue and preserve the value of their investment portfolio, it makes sense for private equity firms to ensure that the companies they have stakes in are not only compliant with industry rules, but are also applying good practices to properly manage the cyber risks and data protection threats they face. The cybersecurity and data protection space is evolving very rapidly around the world. In the US, New York State has new cyber regulations for financial services firms, and other individual states are putting in place a range of new rules of their own. The federal government has a large cybersecurity program that will, very quickly, translate into new rules and practices across industries. In the EU, the General Data Protection Regulation (GDPR) comes into force in May 2018, and it has extraterritorial impacts for firms that engage with EU-based clients. The EU is also kicking off a range of cyber risk initiatives that will also, ultimately, translate into new rules. On September 25, 2017, the Securities and Exchange Commission announced and new enforcement “Cyber Unit” dedicated to cyber violations.

Cybersecurity and data protection are fast-moving areas – it’s important to ensure organizations have implemented the most recent requirements and best practices for their industry. A potential portfolio company – whether being acquired outright or as part of a merger or acquisition process – should have its cybersecurity and data protection policies, procedures and controls evaluated as part of the due diligence process. Existing portfolio companies, after an initial review, should also be assessed and evaluated every year, with policies and procedures updated.

Even if private equity firms are already doing this – and many are not – they can often struggle to then bring information about cyber risks from their disparate types of holdings together into one reporting framework, where risks, controls, and other indicators can be compared on an apples-to-apples basis. It can be difficult for private equity executives to accurately assess frameworks, policies, implementation, and approaches without having some kind of a unifying approach. Bringing this kind of methodology to cyber risk assessment across a whole portfolio of companies can bring significant benefits, including being able to understand the cyber risk of individual holdings relative to each other. Private equity firms can also learn about best practices at the companies they hold, and share those practices across their portfolio.

In short, private equity firms need to ensure they have the capabilities to fully assess and manage cyber risks within their portfolio companies – to be able to do this could make the difference between a successful investment and one which suffers in value because of reputational risk, legal risk, and regulatory sanctions. 

 

3590
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (0)

Join the discussion

Member since

0

Location

0

More from member

Now hiring

See more