The worldwide Microsoft outage on 19 July 2024 put many organisations on notice – regardless of whether they were directly affected or not. For PE firms, with their complex IT environments and multiple stakeholders, cyber security should be a key consideration.
We asked Ed Starkie, Director, GRC and Ben Hawkins, Senior Analyst of our Cyber Risk team to run through the current state of cyber security for private equity, and what firms can do to strengthen and enhance their security.
What’s your number one piece of advice to a private equity firm that's yet to put a cyber security strategy and framework in place?
Ed: This is a nice easy one to start with. My top tip is to develop a cyber security strategy immediately. It is not only what comes from having a formal strategy that is critically important, but also the process of developing one. Understanding the threats facing your business, prioritising key risks, establishing strong access controls, and investing in continuous monitoring and incident response plans to protect sensitive data, ensure resilience and maintain investor confidence. And, of course, consider partnering with cyber security experts to ensure robust protection and compliance. We would say that, but it’s true.
Why is it true, though?
Ed: The biggest barrier to creating robust cyber security in a PE firm is often a lack of specialised cyber security expertise and resources. There are a lot of reasons for that.
Ben: Can I just jump in here to agree with Ed, and to say that based on my experience of working in private equity that those reasons mainly come back to size, and the allocation of funds and effort. So, as Ed says, investing in continuous monitoring is a top priority – but it’s often tough to get buy in from relevant stakeholders in smaller firms to release investment in those latest tools and technologies.
Many PE firms lack dedicated cyber security professionals, making it challenging to create comprehensive security strategies, let alone put them in place. That’s a real problem for these organisations because PE firms tend to have multiple portfolio companies that create complex IT environments for them to work in.
Ed: Yes, and it’s worth adding that getting a standard approach across the portfolio companies is difficult, but failing to do it can be a regulatory compliance risk. I was reading a piece from the European Banking Authority where they were saying that PE firms come up against a general lack of awareness about the importance of cyber security across their portfolio companies and organisations. Recent events have shown that technology and cyber security incidents can and do have a significant impact on the valuation of a business, so PE must take this into consideration.
Ben: I do enjoy these insights into how you spend your spare time.
Ed: The EBA’s latest risk assessment report is gripping.
All right, so if you had to pick five key words to sum up how PE firms should foster a culture of cyber security, what would they be?
Ben: How about I do the first three and Ed can pick two more? I’d go for, ‘education, vigilance, and proactivity.’
Ed: Really, I think that covers it. Education for sure, but if you add ‘accountability’ and ‘collaboration’ that gives you all the essential bits you need to ensure that cyber security is both a shared responsibility and a priority for your senior leadership.
1. Education | 2. Vigilance | 3. Proactivity | 4. Accountability | 5. Collaboration |
Here’s a question inspired by the Microsoft outage on 19 July. Although it’s difficult to cover briefly, what would you urge private equity firms to disclose to stakeholders and the public in the wake of a cyber incident?
Ed: Don’t be tempted to try saying nothing, even if the impact of something like 19 July on your firm is minimal. Apart from anything else, regulators increasingly require a degree of transparency. Disclose the nature and extent of the cyber incident, the immediate steps taken to reduce the impact, and provide assurances of enhanced future security measures. Maintain transparency while protecting sensitive details to uphold trust and demonstrate proactive management.
What do you mean by ‘transparency’?
Ed: Just be clear and honest – stick with the facts. You can do that without providing compromising details or too much information – for example, “Our systems detected unauthorised access to our network, and we are investigating the scope and impact. We’re working with cyber security experts who are conducting a thorough investigation. We will provide further updates to all impacted stakeholders.” And then, make sure you do provide further updates. Once the dust has settled, organisations should not only learn from the incident, but be seen to learn from it.
Sadly, our time is nearly up – Ben, this is one for you to wrap up on. What is the one key thing private equity firms are not doing in relation to cyber security that they should be doing?
Private equity firms – like many similar organisations – often neglect implementing continuous, real-time cyber security monitoring and threat detection systems, which are crucial for identifying and mitigating cyber threats proactively. Too many firms are relying solely on periodic assessments and reactive measures.
Thank you, Ed and Ben!
Cyber Risk
We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.
Thomas Murray cyber alerts
Subscribe to stay up to date with developing threats in the cyber landscape
Insights
Thomas Murray Partners with Socura to offer Managed Detection and Response to clients that need support to stop cyber threats 24/7.
The collaboration will see Thomas Murray offer Socura MDR to help its clients proactively identify and respond to threats.
Thomas Murray and Crimson7 Announce Strategic Partnership to Modernise Threat Informed Security
Thomas Murray and Crimson7 are partnering to combine their expertise and create innovative solutions for tackling key cyber security challenges.
Thomas Murray and askblue partner to support financial institutions in meeting the Digital Operational Resilience Act (DORA) requirements
Thomas Murray and askblue are collaborating to provide services that help financial institutions comply with DORA requirements.
Threat Intelligence for Law Firms: Protecting clients in the digital age
As a law firm, protecting your clients' data and reputation is more critical than ever in today’s digital-first world.