What does risk have to do with a portfolio company? Unfortunately, everything! As hackers become more imaginative and breaches more impactful, it’s critically important for private equity and investment firms to understand the risks that threaten their potential or existing portfolio companies as well as the preparedness of those companies to avoid greater risks. Keep reading as we explore the art of managing risk across your portfolio.
The Securities and Exchange Commission (SEC) recently released a proposal that would regulate the cybersecurity practices of private equity firms who invest in Managed Service Provider (MSP)-centric tech companies in the financial industry. While this is simply a proposal – and not law – it’s a best practice to execute these recommendations regardless. The proposal from the SEC aims to protect investors of portfolio companies, reduce fraud and breaches within the financial space, improve the cybersecurity practices of private equity groups, and get the financial industry up to speed with others’ stricter cyber policies.
The main benefits of implementing these protocols proactively? The obvious one being: protection against risk. The more subtle advantages (still of great importance!) include saving money and attracting investors.
How prevention saves capital
The average cost of enduring a breach is constantly rising. IBM reports that last year, the average cost of a data breach was $4.24 million. Not to mention, cybersecurity liability insurance rates are skyrocketing – and as most companies have this insurance (or absolutely should) – you can mitigate costs by investing in the kinds of protection insurance companies love. Further, the cybersecurity related underwriting requirements to even have a policy written have seen dramatic changes over the past two years.
How managing risk attracts investors
When you start work on a fund and are in the market for new investors, cybersecurity practices that protect investors and their cash are likely to improve investor confidence. Further, investors – and buyers down the line – have certain expectations that your company needs to be able to meet. This includes solid cyber measures. Once you have these in place, your organization becomes that much more marketable. If you are able to show your investors that you have formalized a risk-management plan and are proactively implementing cybersecurity measures around a risk-based approach throughout your portfolio, it will go a long way. These preemptive steps can often make investors feel comfortable that a large-impact event with a bearing on their return is less likely to happen.
To get started
To get started, we recommend identifying a published and mature security standard (NIST, CIS, PCI, etc.) that’s applicable to the industry your portfolio company is in. If you have expertise within your portfolio companies or at the investment firm level, begin working to meet the controls of the chosen standard. This will help you establish what you need as part of your risk management processes and offer guidance in implementing it.
If you don’t have the expertise in-house or as a follow-up step to augment your internal knowledge and provide third-party assurance, partner with an outside cybersecurity expert who can offer visibility into your existing risk management procedures and customize solutions with established standards relevant to your industry and business. The ideal partner in this due diligence process will be one that performs ongoing assessments, continually monitors, and improves the security and compliance maturity profile of each individual portfolio company in a customized yet consistent manner so that, as an investment organization, you can have the cybersecurity reporting roll up and reported to you on a portfolio level.
Sikich’s offerings provide private equity firms with benchmarking data, ongoing metrics and scoreability data. We are consultants, advising on the best options for you, but we are also sounding boards – taking your concerns and goals into consideration first and foremost. To discuss your cybersecurity needs, contact us.