Skip to main content

We have previously discussed the growing threat that concentration risk poses to portfolio companies, and the fact that within private equity (PE) it is still not an area given enough consideration. 

Knowing what to look for is the first step. You have to be able to identify:  

  • the underpinning elements of concentration risk;  
  • why it is a growing concern;  
  • what is being done in other areas of industry and regulation; and  
  • what PE should be doing to identify and address this area of risk. 
Edward Starkie
Edward Starkie

Director, GRC | Cyber Risk

estarkie@thomasmurray.com

Ben Hawkins
Ben Hawkins

Senior Analyst | Cyber Risk

bhawkins@thomasmurray.com

Our voicing of our concerns about concentration risk was timely, as it coincided with the CrowdStrike incident of July 2024. That drew national and international attention to the dangers of entrusting the provision of critical services to the wider economy to a handful of technology providers. 

‘Information technology monoculture’ 

The Financial Conduct Authority’s (FCA) definition of concentration risk reflects that it is usually considered from the perspective of individual industries: 

“[Concentration risks are the] risks arising from the strength or extent of a firm’s relationships with, or direct exposure to, a single client or group of connected clients.”  

What it does not acknowledge is that there is much higher concentration risk within a portfolio of companies owned by private equity.  

The US Centre for Cybersecurity Policy and Law’s Addressing Concentration Risk in Federal IT (June 2024) outlines work undertaken by the Centre and departments within the US Federal government. They conducted exercises to address concentration risk, or the ‘information technology monoculture'. The results were concerning. 

A call for enhanced risk management frameworks 

The paper makes clear the need to extend investigations into formal risk management frameworks. This is crucial not only for US federal IT functions, but also for broader cyber security efforts across all sectors and jurisdictions. The implications stretch far beyond government infrastructure, highlighting a significant area of concern within PE funds. 

The challenges facing the US federal IT landscape mirror those within the PE space, particularly as both ecosystems rely heavily on technology and outsourced service providers. The use of these providers lengthens the supply chain, creating additional complexity and vulnerabilities. While businesses and certain industries have prioritised securing their supply chains, this critical focus has been largely overlooked within PE at the fund level, placing investors at unnecessary risk. 

Why is the PE industry particularly exposed to concentration risk? 

During the value creation phase of asset ownership, PE funds typically rely on familiar technologies, services, and providers. This approach allows them to leverage prior experience to meet similar objectives or overcome recurring challenges.  

While this can offer commercial advantages, if left unmanaged it introduces significant concentration risk. The worst-case scenario for a PE fund is that multiple portfolio companies are simultaneously affected by a similar cyber security breach due to shared technology. Such incidents can disproportionately impact the fund, potentially undermining its ability to realise its investments, and threatening long-term cash flow or reducing the ultimate value of the investment. 

Mitigating unmanaged concentration risk in PE 

To address this unmanaged concentration risk, PE houses must extend their engagement with portfolio companies. Gaining visibility into the current and planned use of technology and service providers across the portfolio is the first essential step.  

Once these vendors are identified, it’s critical to develop mechanisms and processes to evaluate whether key services are concentrated across multiple companies, thus increasing risk. 

The finance industry has already begun to tackle these issues, with the Digital Operational Resilience Act (DORA) highlighting the importance of managing critical service providers. PE houses can draw valuable lessons from this regulatory development. However, in the PE space, it will be up to the funds themselves to take on the role of data coordinator or engage a trusted third party to oversee this responsibility. 

Proactive action is key 

Ultimately, it is up to each PE house to decide whether to address these risks and assess their fund's exposure to concentration risk. Although the full extent of the threat may not always be immediately clear, recent incidents (such as the CrowdStrike breach) demonstrate how unmanaged risk can have far-reaching consequences. These risks may not be fully understood when viewed in isolation but become clearer through the lens of concentration risk. 

By taking proactive steps to manage concentration risk, PE funds can better protect their portfolios and safeguard investor interests from the systemic challenges posed by shared technologies and service providers. 

Free Private Equity Portfolio Cyber Risk Assessment

Identify high-risk issues across your portfolio companies, receive contextual threat intelligence to answer the “so what”, and more importantly what steps should you take to reduce the risk. 

Request your assessment
Time for PE firms to focus on concentration risk
Time for PE firms to focus on concentration risk

Orbit Risk

Achieve trust, transparency and security with a single platform. A leading solution for companies looking to digitise and automate their risk management, leveraging Intelligence, Diligence and Security.

learn more