Private equity firms may be aware of the growing number of cybersecurity and data protection regulations for financial services organizations – but how knowledgeable are they about the cyber risks that lurk within the diverse range of companies in their
Cyber breaches, and data security violations, can have a very real impact on the value of a corporate holding. For example, search engine Yahoo was forced to reduce the sales price of its email and digital services to Verizon Communications from $4.83 billion
to $4.48 billion as a result of two large cyber breaches in 2013 and 2014. Since the breach, dozens of lawsuits have been filed, and Yahoo is under investigation by regulators. The company recently announced that up to three billion people could have had their
personal information compromised.
Cyber risk – and organizations’ exposure to it – is increasing. Over the past few weeks, a number of high-profile organizations across a range of industries have disclosed that they have been subject to a cyber breach, and that data – personal and corporate
– has been compromised. These include:
- Deloitte – announced at the end of September, details of the consulting firm’s key corporate clients may have been accessed
- Equifax – accounts of 145.5 million customers may have been accessed by hackers, including sensitive non-public information. The breach was disclosed in early September.
- Bupa – in July, the health insurance company announced that an employee had copied and taken away data connected to 547,000 international health insurance plan customers.
Many of these cybersecurity incidents – such as the Equifax breach – are potentially the result of organizations not having the efficient and effective policies, procedures, and controls in place to help prevent a cyberattack turning into an actual loss
event. Operational risk – as well as the associated reputational risk – is transformed into an investment risk if the company that has a cyber breach or data protection incident happens to be owned by a private equity firm.
To protect revenue and preserve the value of their investment portfolio, it makes sense for private equity firms to ensure that the companies they have stakes in are not only compliant with industry rules, but are also applying good practices to properly
manage the cyber risks and data protection threats they face. The cybersecurity and data protection space is evolving very rapidly around the world. In the US, New York State has new cyber regulations for financial services firms, and other individual states
are putting in place a range of new rules of their own. The federal government has a large cybersecurity program that will, very quickly, translate into new rules and practices across industries. In the EU, the General Data Protection Regulation (GDPR) comes
into force in May 2018, and it has extraterritorial impacts for firms that engage with EU-based clients. The EU is also kicking off a range of cyber risk initiatives that will also, ultimately, translate into new rules. On September 25, 2017, the Securities
and Exchange Commission announced and new enforcement “Cyber Unit” dedicated to cyber violations.
Cybersecurity and data protection are fast-moving areas – it’s important to ensure organizations have implemented the most recent requirements and best practices for their industry. A potential portfolio company – whether being acquired outright or as part
of a merger or acquisition process – should have its cybersecurity and data protection policies, procedures and controls evaluated as part of the due diligence process. Existing portfolio companies, after an initial review, should also be assessed and evaluated
every year, with policies and procedures updated.
Even if private equity firms are already doing this – and many are not – they can often struggle to then bring information about cyber risks from their disparate types of holdings together into one reporting framework, where risks, controls, and other indicators
can be compared on an apples-to-apples basis. It can be difficult for private equity executives to accurately assess frameworks, policies, implementation, and approaches without having some kind of a unifying approach. Bringing this kind of methodology to
cyber risk assessment across a whole portfolio of companies can bring significant benefits, including being able to understand the cyber risk of individual holdings relative to each other. Private equity firms can also learn about best practices at the companies
they hold, and share those practices across their portfolio.
In short, private equity firms need to ensure they have the capabilities to fully assess and manage cyber risks within their portfolio companies – to be able to do this could make the difference between a successful investment and one which suffers in value
because of reputational risk, legal risk, and regulatory sanctions.