Strategies for private equity firms
Private equity (PE) firms face a unique challenge in overseeing cyber security for multiple portfolio companies, each with its own risk profile and security needs. As cyber threats continue to intensify in response to global geopolitical factors, PE firms must develop strategies to protect investments and maintain portfolio stability. There are three main motivating factors for this:
- Our threat intelligence shows that PE and investment firms are being increasingly targeted by threat actors. These actors seek to leverage PE-specific activities that present opportunities for gain or operational interruption.
- Regulators are demanding more from Limited Partners and PE to manage cyber security risk and protect investments from potential losses.
- An increased recognition of unmanaged third-party concentration risk across portfolios.
Establishing clear expectations for cyber security
Implementing consistent cyber security practices across a diverse portfolio is crucial for effective risk management. Any cyber security controls or capabilities implemented or developed after a new technology or system has been designed, or (worse yet) in response to a cyber security incident, will be significantly more expensive.
To avoid expensive and hastily implemented controls and capabilities, PE firms should have clear expectations for cyber security across their portfolio. To do this, PE firms should:
Establish baseline security requirements: Define a set of minimum-security requirements that all portfolio companies must adhere to regardless of their size or industry. While the requirements are non-negotiable, the mechanisms deployed to achieve the objectives can be flexible.
Develop a common risk assessment framework: Create a standardised approach to evaluate cyber risk across the portfolio, against which additional controls can be identified and prioritised to meet the necessary risk tolerance for the PE fund – both individually and at a portfolio level.
Tools, frameworks, and methodologies for portfolio-level risk assessment
To effectively manage cyber risk across a portfolio, PE firms should adopt an approach which encompasses tooling, shared insights, and tailored frameworks:
Reporting on and engaging with cyber security: Board members from PE firms should establish cyber security as a key topic for inclusion in board-level reporting, with meaningful KPIs that are aligned to the wider business strategy.
Automated scanning and monitoring tools: Implement technologies that continuously assess the security posture of portfolio companies, providing real-time insights into potential vulnerabilities. While the technology can increase the efficiency of efforts, the insights and knowledge from individuals experienced in interoperating findings produced by tooling will ensure change and improvements.
Portfolio cyber security centres of excellence: Organisations that cannot justify a full suite of in-house cyber security resources should consider facilitating access to a trusted pool of cyber security experts. These centres can provide the necessary input to boards to shape cyber security strategy and ensure alignment to industry trends.
Threat intelligence: Encourage access to threat intelligence to stay informed about emerging risks that enable portfolio companies to adjust their security strategies. Such insights and intelligence should be tailored, consumable, and considered within the context of the findings of targeted monitoring and insights.
Targeted monitoring and insights: Establish pragmatic and risk-driven cyber security control frameworks that:
- assess the organisation’s current cyber security posture; and
- capture and assess the ability of the organisation to rapidly respond to new threats.
‘Dynamism’ is a factor that is not often considered, but it is a vital attribute if organisations are to adjust, reprioritise, and respond to the demands of the changing threat landscape.
Prioritising resources and efforts
With limited internal resources, PE firms must prioritise their cyber security efforts effectively:
Risk-based approach: Focus on portfolio companies with the highest risk profiles or those that handle the most sensitive data. Specific cyber security considerations should be included when shaping the exit process, a step that should also be captured within the risk-based approach.
Value creation lens: Align cyber security investments with overall value creation strategies for each portfolio company. Embedding cyber security best practice early in asset ownership and investing continuously in cyber security is an underutilised value creation lever.
Continuous improvement: Implement a cycle of regular assessments and improvements to ensure that security measures evolve with changing threats and business needs. Continuous improvement will also foster a culture of rigour, process, and responsiveness that will benefit the wider business and its operations.
Outsource portfolio cyber security oversight efforts: There is a well-documented shortage of cyber security resources. PE could consider leveraging external organisations that have extensive experience of running complex engagements for time-pressured PE firms.
Fostering a culture of cyber security
To truly manage cyber risk across a diverse portfolio, PE firms must cultivate a strong security culture. To do this effectively the unique activities that are undertaken by PE funds should include cyber security considerations:
Executive engagement: Ensure that cyber security is a priority at the highest levels of both the PE firm and portfolio companies. An understanding and recognition of the importance of cyber security, with clear support for accompanying initiatives, is a foundational component upon which the most successful cyber security initiatives will be built.
Regular training and awareness: Implement ongoing cyber security education programmes for employees at all levels, this should be tailored to the changing threat landscape and encompass basic information regarding threat actors and their chosen methods of attack.
Specific PE elements: Recognising the value of cyber to an investment, cyber security should be factored into the deal funnel as early as possible and embedded within the asset valuation processes. This includes having cyber security as a component in the deal sourcing filter, and later by having appropriate cyber security due diligence that feeds directly into existing processes.
Incident response preparedness: Develop and regularly test incident response plans that span the entire portfolio. Establishing a pan-portfolio threshold for cyber security incidents that feeds into a centralised reporting mechanism will ensure PE funds are kept informed of significant incidents and can be proactive if approached by concerned LPs.
By adopting the activities and approaches outlined above, PE firms can effectively manage cyber risk across their diverse portfolios, protecting investments and creating long-term value. A proactive and comprehensive approach to cyber security is now essential for success in the private equity sector.
How we can help
Thomas Murray Portfolio Cyber Risk Management and cyber security due diligence services include:
Advisory services: Our team can support your by defining and implementing either all or only strictly required components for portfolio cyber risk monitoring. Our team has experience of providing cyber security due diligence on hundreds of deals across all industries.
Technology and implementation: Leveraging the Orbit Risk platform to automate lifecycle management of portfolio risk monitoring and external attack surface assessment, we can create cost and time efficiencies that can leave you freer to focus on your core operations.
Managed service: Our managed service is modular. It allows you to select from various components, life cycle management processes, and reporting – enabling you to tailor the service to your requirements, internal team capacity, and capabilities.
Cyber Risk
We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.
Thomas Murray cyber alerts
Subscribe to stay up to date with developing threats in the cyber landscape
Insights
The Digital Operational Resilience Act for private equity: All change for the relationship between firms and vendors
The EU’s Digital Operational Resilience Act (DORA) will apply from 17 January 2025.
Time for PE firms to focus on concentration risk
Ed Starkie and Ben Hawkins reveal why concentration risk poses a growing threat to PE portfolios – and why many firms are dangerously unprepared.
An overview of the TIBER-EU methodology
The TIBER-EU methodology is a comprehensive framework designed to enhance the cyber resilience of financial institutions.
Five minutes with the PE cyber experts
Ed Starkie and Ben Hawkins gave us five minutes of their time to run through the current state of cyber security for private equity.