Building a culture of security

By A Paris — General partners (GPs) have a raft of technology solutions to choose from when looking to make sure their cybersecurity infrastructure is robust. Deploying state-of-the-art technology which meets the needs of the organisation and provides the security necessary is vital for GPs to continue operating, both from a regulatory point of view and also to ensure they continue to attract capital.

However, systems alone are not enough. A large part of cybersecurity relies on all the firm’s staff – from the C-suite to regular employees. Their understanding, vigilance and willingness to highlight any issues they may encounter in the course of their working day can make or break a PE firm’s cybersecurity strategy. In view of this, organisational culture plays a huge role in ensuring GPs are securing their data and that of their portfolio companies.

A study of 50 major data breaches carried out by Boston Consulting Group (BCG) found that only 28 percent were caused by inadequate security technology. “In the vast majority of cases — 72 percent — the breach was the result of an organisational failure, a process failure, or employee negligence,” the consultancy outlines.

In a research paper for the Harvard Business Review, Keri Pearlson, Brett Thorson, Stuart Madnick and Michael Coden explain the importance of testing and making sure that even the C-suite are familiar with all the necessary protocols.

“To make sure they are aligned and aware of company plans during a cyber attack, they [C-suite executives] need to practice ahead of time and build muscle memory in how to respond. Simulated scenarios help organisations to validate their plans and prepare company leaders,” the authors write.

Jamie Smith, Eze Castle Integration’s Director of International Technology, stresses the importance of tabletop testing: “Incident response isn’t accidental, it’s something you test and it’s perspective you gain when you do carry out these tests and gauge how quickly you react. The more you test your response, the better you’ll get at responding. Also, these tests need to have a certain level of granularity to cater for different types of cyber attack; having a different playbook for each one is really important.”

RFA outlines the benefits of phish testing and security awareness training: “Training significantly reduces your chances of a breach or an attack. Knowledge is always power. Educating your employees and developing a security-conscious culture is essential and typically not a priority for firms, but it should be,” says RFA global managing director, George Ralph.

Jason Elmer, CEO and founder at Drawbridge advises: “Driving cybersecurity within the firm must come from the top down, and ownership remains within the firm. Should a GP choose to hire a cybersecurity specialist in-house, it is critical that this person be educated enough on the importance and impact of cybersecurity to drive enforcement. That can come from careful work with a cybersecurity firm and does not necessarily require prior skills or expertise.”

As the incidence of cyber attacks continues to rise and the likelihood of falling victim to one is high, GPs need to make sure to foster a culture in which employees feel comfortable coming forward with any concerns. A culture of blame in this regard is severely disruptive. So, although cybersecurity is everyone’s responsibility, to some degree, it is up to the GP management to empower its employees to speak up. Smith details: “It’s important for people to know what to look for and know when to raise their hand and highlight any issues. It is really important that the culture within the firm is one of togetherness and everyone pulling the same rope, rather than finger wagging at someone who has forwarded something suspicious or clicked on a phishing email.”

Organisations should strive for adherence (active participation) rather than compliance – rapidly emerging threats require employees who are engaged and willing to step up. Organisational leadership has a key role in developing effective and workable security – by helping security specialists to fit security into the business, breaking down silos and leveraging other organisational capabilities (safety, HR, communications) – but not least by setting the tone and leading by example.

Security issues across the deal lifecycle

A guide published by the British Private Equity and Venture Capital Association (BVCA) together with PwC highlights the key principles GPs should consider in relation to cybersecurity.

“Private equity fund managers should care about cybersecurity risk in a deal context because it can either cost or generate money depending on how it is treated. The frequency of cyber attacks and the complexity of the threat are increasing, and the downside risk that comes with poor handling of the issue can be significant and manifest in a variety of ways,” the guide warns.

There are differing cybersecurity considerations within each phase of the deal lifecycle. When conducting due diligence, GPs need to identify risk exposures and factor any remediation into their negotiations as appropriate. In the onboarding phase, GPs need to help the portfolio company achieve a baseline level of security maturity which is at least in line with its industry peers.

During the value creation stage, firms should initiate enhanced programmes to maximise security capability and establish this as a business differentiator. Validating that the organisation has not suffered an unknown breach is then an essential step GPs must take when preparing for a sale.

The BVCA guide advises: “More money is not always the answer. Many companies underspend on security, but many others spend too much or poorly. Optimise security and make sure your portfolio companies are not carrying unnecessary fat.”

According to Paul Harragan, EY-Parthenon Director, Strategy and Transactions, Ernst & Young, PE firms are beginning to change their behaviours in relation to cybersecurity diligence, though they were historically lax in this area: “PE executives are beginning to understand that if something were to happen, they would be at risk of financial, investment and brand damage.

“This is due to an increased awareness of threats to their portfolio companies and their own operations… Prominent data breaches have shown the scale of the potential impact on the value of a compromised portfolio company.” In addition, he argues the pandemic also contributed by widening the landscape and leaving investment managers exposed as a result of the change in operating models most had to implement.