A full understanding of cyber resilience and an integrated cyber strategy is fast becoming a necessity within a private equity portfolio management approach, rather than a nice-to-have option. An organisation’s equity is so often and so inextricably linked to its data that ignoring cyber risk is simply asking for trouble. It is our assessment that in the not too distant future both investors and regulators will become much more demanding of assurances that cyber risk is being robustly managed. These pressures will likely focus on people, process and technologies within the portfolio organisations themselves, but it is worth bearing in mind that the risks are increasingly emanating from the “extended enterprise” including the supply chain. So what can be done by PE firms to minimise their exposure to this ever-increasing threat to profitability and stability which can be very hard to identify and can originate well outside the PE firm’s perceived sphere of influence? We’ve put together a few points to consider.
We assess cyber risk using a 7-part framework. The first and arguably the most fundamental part of this framework is “Governance”. In our experience, getting the governance bit wrong can lead to an unravelling of the whole strategy. Cyber risk is a business-level risk and thus accountability should be held at board level by the whole board, not pushed onto the CISO or IT director which is a very common error and one we in the cyber security industry, often see repeated. Decisions such as level of investment in cyber defence, PR handling in the event of a breach, when to bring in the lawyers and “should we pay the ransom” are the domain of the whole board, not one individual or department.
On the basis that 75% of large enterprises suffered a cyber breach in 2019 and the probability of a breach should be treated as almost inevitable, the next step should be to ensure your incident response procedures (a) cover all aspects; (b) are well understood across the portfolio; and (c) are routinely rehearsed. We have heard experts recommend setting up a “war room” in the event of a cyber breach which would likely need to be subject to a threshold of severity, but the thinking is sound. A serious breach will require an all-hands-on-deck approach to cover and co-ordinate aspects such as business continuity and disaster recovery plan initiation, legal engagement, insurance claims, PR handling as well as the more technically focused activities like digital forensics and cyber incident response. Getting this right requires practice at all levels. For the more specialist roles, you may want to have already engaged a trusted team of experts who take part in your response exercises, are on hand to assist in the event of an incident and are well versed in your organisation’s systems architecture.
Managing risk within the supply chain is another important component of the 7-part framework. This can be undertaken in a number of ways dependent upon the type of organisation you are, but the most fundamental step is to ensure that someone within your organisation is made responsible for managing and implementing the strategy of minimising cyber risk stemming from this area. Supply chains can be large and daunting and are unique to the business but assessing the real risks through the identification of critical suppliers (however you choose to define “critical”) is an important step. These critical suppliers should be treated as an integral part of the “extended enterprise” and should be subject to the same standards and accreditations that you would expect of the rest of your portfolio. A guide to good practice from a trusted source that could be flowed down through the supply chain would be the NCSC’s “10 Steps to Cyber Security”. There is always a balance between cost and risk and this is never more appropriate than when you are assessing a flow down of mandatory conditions to your supply chain but the inclusion of a the achievement of a minimum level of standards should be considered, including ISO27001 and Cyber Essentials accreditations.
The last point for consideration that we would like to make in this short article is be sure to include cyber security as part of the pre-deal due diligence exercise in an acquisition process. Moving laterally between connected organisations is often how hackers work and the contagion of bringing in an already compromised organisation into your portfolio could be devastating. Get some trusted experts in to conduct a thorough assessment of the target company and produce an accessible and readily understood report of the risk areas. This type of an assessment will enable you to make informed judgements on how to approach the topic of cyber risk in the context of all the other discussions going on throughout the acquisition process. Risks in this area can also be managed through a number of other instruments including careful and planned use of cyber insurances, indemnities from the sellers (backed up if appropriate through W&I insurances) and even bonds put aside for a period after sale completion to cover for any unforeseen and/or unforeseeable pre-existing cyber breaches. Your knowledge of the exposure and assessment of the cost of developing a potential target’s cyber posture could also be used as leverage in negotiations and add another item to your negotiation toolkit.