By Paul Harragan, EY – For many large cap and mid-market funds, cybersecurity risk is no longer a topic that is left off the boardroom agenda, in-fact effective cybersecurity risk management is considered a key driver for value creation.
Understanding cybersecurity risk provides investors’ confidence and comfort during the hold period and at exit stage avoiding the pitfalls of value erosion.
Value Creator – At exit, if the asset can provide clear evidence that cybersecurity risk has been controlled throughout the hold period, highlighted by a strong maturity posture and zero indicators of compromise.
Value Erosion – Potential Impact to value and brand caused by security incidents such as service disruption, loss of Intellectual Property and data breaches.
The learning process to understand cybersecurity risk across the portfolio typically lead controllers to analyse the following key considerations:
- The cybersecurity risk on each of their holding assets, established against suitable best practice for their industry and size
- The holistic cybersecurity risk picture for all assets across the portfolio
- The growth of the threat landscape for each of their assets as capital injects and enhances the businesses (investment hypothesis)
- New and emerging cybersecurity threats, such as new attack methods or threats being introduced as a result of technology and industries evolving
- The cost and time to achieve mitigation along with their priority
However, it’s clear from many discussions with portfolio controllers that several challenges arise from this process. I have therefore identified my top four cybersecurity risk challenges for portfolio controllers and how to address them.
Cyber risk analysis – how to measure cybersecurity risk across the portfolio
To understand cybersecurity risk across the portfolio each asset needs to have a cybersecurity assessment performed. In theory, reviewing all the results side-by-side ‘should’ indicate where cybersecurity risk sits across the portfolio.
However, in practice this approach is where many challenges occur. For example, assets within different sectors, such as energy and retail, have completely different operating environments. As a result, they also have completely different threat landscapes and different operating reach.
A further challenge is percentage ownership. Risk is viewed differently if you own a majority stake (>%51) over a smaller investment (not majority). Or maybe a smaller stake but a larger capital investment over a smaller majority stake.
Finding a consistent metric is key to overcoming this challenge. As such, the deal thesis constitutes the only measurable metric that can be applied to all assets within the portfolio and that sets the lens to define risk.
Using this approach alongside traditional cybersecurity gap analysis style assessment is the key to comparing cybersecurity risk across the portfolio.
Understanding how the threat landscape evolves/widens during the hold period
Cybersecurity due diligence is now for many private equity firms an important part of the routine of deal-flow process. However, traditional cybersecurity diligence only focuses on gaining an historical and cybersecurity risk posture state view at the time of the assessment. This will typically identify risk and provide a gap analysis against a chosen industry framework or standard.
The challenge for portfolio controllers is understanding the cybersecurity risk exposure when the invested capital is realised and the business operating model evolves, such as geographical or customer expansion via a new service offering, introducing new attack vectors and widening the threat landscape.
To ensure portfolio controllers are best prepared, enhancements to the due diligence process are required. Using the deal thesis as a key risk lens will enable the assessment to threat model the future attack vectors and geographical compliances that the business will face and put in place preparations for both forecast budgets and operations.
Influencing boards to embed a strong cybersecurity culture
Consistency is vital when trying to measure cybersecurity risk across the portfolio. How cybersecurity culture is embedded within the business typically starts from the boardroom.
Decision makers need to be presented with facts on the cybersecurity front, which spawn forward-looking decisions. A clear understanding of the cybersecurity related risks, especially when trying to decide what is the best course of action, can significantly help in minimising the risk of unexpected value erosion.
For investors the challenge is influencing the cybersecurity maturity expectation across the portfolio where scenarios are different (investment stakes are large and small, different operating models, size and complexity of the business, the industry the business sits in, etc).
To overcome this challenge, decision makers in the boardroom need to gain visibility across all entities, collectively or independently, by having a clear understanding of the cybersecurity risk exposure, and the holistic cybersecurity posture. This translates into having consistent and frequent cybersecurity reviews (due diligence), which will allow to quantify the cybersecurity risk exposure from a deal-flow perspective, understand the bigger picture by combining factual data originating from up-to-date external metrics.
Replaying report results to the board will provide valuable insight and a compelling argument to embed a strong cybersecurity culture that is aligned with the investors’ expectations.
Understanding when enhancements to cybersecurity maturity is made or reduced
Typically, each portfolio asset will have a list of risks to mitigate or remediation projects to complete in order to reduce the risk of potential cybersecurity incidents. For portfolio controllers, understanding the real-time changes to the business when risks have been mitigated is important as this will reduce the risk profile of the asset. Alternatively, remediation projects may slip or run out of budget.
A prominent consideration for portfolio controllers is understanding the maturity position. To overcome this challenge, the adoption of frequent cybersecurity assessments is vital in ensuring risk mitigations are performed and there is an understanding of how new attack vectors are addressed.
Frequent cybersecurity assessments based on both the deal thesis and standard best practices will enable portfolio controllers to understand the posture state of each of their assets at any given time throughout the hold period. If performed correctly at the exit stage, evidence will be available to provide prospective buyers and insurance underwriters, protecting or even enhancing the EBITDA forecast.
Paul Harragan
Director of Strategy and Operations, Cybersecurity, EY
Paul Harragan is a Director in EY’s Transactions Strategy & Operations team specialising in Information Security, Cyber Defence and IT transformation. He advises both private equity and corporates on cybersecurity strategy, risk and transformation across the capital agenda. Paul has led Cybersecurity diligence on deals with a combined equity value of over $50bn, across multiple industries and on a global basis. He works across the transaction lifecycle to helps investors define, create and protect value. Paul works across industries but has a particular focus on TMT, Banking, Capital Markets, Digital and Retail.
Paul is a qualified Ethical Hacker and Security Solutions Architect. Paul is a frequent speaker on cybersecurity and has spoken at events such as BlackHat and OWASP events.
