1. Introduction

In the current era of heightened cyber threats and operational disruptions, private equity (PE) firms and their portfolio companies (PortCos) must prioritise resilience to protect their investments and maintain competitiveness. PE firms can significantly reduce risk exposure and boost asset value by incorporating these measures into their strategy.

This article aims to provide an overview of how PE firms can achieve cyber and operational resilience, within the context of compliance to relevant regulations.

Within the appendix you will find ten cyber and operational resilience regulations that could directly or indirectly impact a PE firm’s PortCos.

2. Why resilience is now strategically vital for PE and portfolio companies.

PE firms, depending on their investment strategy, invest in one or multiple regulated sectors worldwide. Historically, financial services and healthcare have been the most heavily regulated sectors, with business-to-consumer (B2C) industries also subject to stringent privacy regulations, some of which are listed in the appendix.

However, there is a growing trend towards expanding regulatory coverage to other sectors, including technology, data centres, IT services, fintech, manufacturing, and research and development. Furthermore, regulations are becoming increasingly prescriptive on cyber and operational resilience requirements. There is a particular emphasis on critical infrastructure including financial services and healthcare industries.

This shift reflects the evolving landscape of regulatory requirements, which are becoming more comprehensive and stringent in response to emerging risks and challenges.

By prioritising resilience, PE firms and their PortCos can navigate complex regulations and maintain competitiveness to meet their distinct business objectives and comply with domestic and regional legislation.

The regulations listed within the appendix share several key thematic requirements, categorised below:

  • Risk Management and Governance
  • Incident Management and Reporting
  • Business Continuity Planning (BCP) and Disaster Recovery (DR)
  • Third-Party Risk Management

2.1 Risk Management and Governance

Key Requirements: Clear governance frameworks with defined roles and responsibilities for identifying, assessing, and controlling cyber and operational risks. For example, NIS2 and DORA require board-level accountability and oversight, ensuring that leaders actively monitor and mitigate risks.

How it can protect stakeholders:

  • Reduces likelihood and impact of cyber incidents or operational failures.
  • Helps stop customers’ data from being sold or leaked.
  • Prevents negative press, which should help protect reputation.

2.2 Incident Management and Reporting

Key Requirements: Implement measures to prepare for, respond to, and report incidents to regulators and affected parties promptly, typically within strict timeframes.

How it can protect stakeholders:

  • Enables coordinated response to minimise impact.
  • Maintains regulatory compliance.
  • Preserves company reputation through responsible crisis management.

2.3 Business Continuity Planning (BCP) and Disaster Recovery (DR)

Key Requirements: Develop a plan to respond to operational disruptions and adverse incidents such as cyber-attacks, natural disasters, or technical failures. Regularly test and update it in the context of evolving conditions, to ensure business continuity.

How it can protect stakeholders:

  • Customers and business partners less likely to experience outages or losses of core business functions.
  • Sustains confidence in business’ capacity to maintain normal operations (as close as is reasonably feasible).

2.4 Third-Party Risk Management

Key Requirements: Reduction of supply chain risk exposure through assessment and oversight of third-party service providers. Due diligence, contractual controls, and continuous monitoring can enforce this.

How it can protect stakeholders:

  • Aims to prevent data breaches and operational disruptions.
  • Boosts board level accountability and brand confidence to sustain business value and boost sale value during exit phase.
  • Avoids non-compliance penalties and limits personal liability.

3. The potential impact of these regulatory requirements on PE firms

PE firms can leverage regulatory requirements to drive proactive cyber risk management in PortCos that operate within regulated sectors with cyber and operational resilience mandates.

This would enable the PE firm to retain or enhance the PortCo's value. Evidence of strong cyber and operational risk management practices would be beneficial during the exit planning phase for the PE firm.

In cases where the PortCo does not meet regulatory requirements, it could generate negative press or the PortCo could incur fines, potentially affecting its valuation and the PE firm’s ability to generate their required return on investment. There are also certain regulations where company directors can be liable. The PE firm could be directly impacted by this, depending on

  • The type of investment.
  • Percentage of the voting rights and/or number of seats on the PortCo's board.

Some examples of Cyber and Operational Resilience regulations that could directly or indirectly impact PortCo of PE:

  1. Network and Information Systems (NIS2) Directive (EU)
  2. Digital Operational Resilience Act (DORA) (EU)
  3. The European Union’s Cyber Resilience Act
  4. UK Cyber Security and Resilience Bill (proposed)
  5. Office of the Superintendent of Financial Institutions (OSFI)’s E-21 Guideline (Canada)
  6. The Federal Financial Institutions Examination Council (FFIEC) Guidelines (USA)
  7. Financial Conduct Authority (FCA) Policy Statement PS21/3 (United Kingdom)
  8. Cross-Industry Prudential Standard (CPS) 230 (Australia)
  9. Notice FSM-N05 Technology Risk Management (Singapore) 
  10. Hong Kong Monetary Authority Guidelines

4. Key Takeaways

Implementing cyber and operational resilience measures is a strategic imperative for PE firms and their PortCos, enabling them to reduce the impact of cyber risks on asset valuations.

To navigate the complex regulatory landscape surrounding cyber and operational resilience, Thomas Murray recommends PE firms do the following:

  1. Assess the portfolio for direct or indirect regulations that might apply. A PortCo could operate within a regulated client's supply chain, and the regulations may indirectly impact the PortCo.
  2. During pre-investment due diligence, incorporate potential and existing cyber and operational resilience issues.
  3. Include monitoring as part of cyber and operational resilience within BAU monitoring of PortCo. This could be done through a combination of the following:
    1. Integrating regulatory requirements into PortCos' periodic cyber risk assessments.
    2. Regularly assessing PortCos' compliance levels to understand how they are meeting requirements.
    3. Integrating cyber and operational regulatory questions into PortCos' ESG assessments.
    4. Establishing a digital knowledge centre and communication channels for PortCos to manage cyber and operational risk, to ensure compliance.

Learn more about the implications of specific regulations with these Thomas Murray insights:

Cyber Risk

Cyber Risk for Private Equity

Cyber attacks are becoming more intelligent than ever and private equity firms require security partners who understand the complete investment lifecycle and can protect business value. Our experience working with 8 of the 10 largest Private Equity funds by AUM positions us as a trusted advisor delivering strategic cyber security services across portfolio companies and investment stages.

Learn more