Best laid plans to not go astray
Planning ahead must form a building block of certainty for private equity firms looking to bolster their cybersecurity infrastructure. An attack or a potential breach is bound to take place, given the current market conditions and being well-prepared is the bedrock of their defence and response to such an event.
“The more effort you put into your planning, the better the outcome will be when an attack happens,” comments Jamie Smith (pictured), Eze Castle Integration’s Director of International Technology, “It’s no longer about if it happens, but when. I think every company will either have a bump in the road or a full on data leak at some point. It’s the reality of cyber today given there is a lot of bounty to be had in financial markets and the interest by bad actors is huge.”
Smith believes that a large part of a successful cyber programme is made up of tabletop testing: “Incident response isn’t accidental, it’s something you test and it’s perspective you gain when you do carry out these tests and gauge how quickly you react. The more you test your response, the better you’ll get at responding. Also, these tests need to have a certain level of granularity to cater for different types of cyber attack; having a different playbook for each one is really important.”
Planning an instant response to a cyber attack or a potential attack is critical to general partners (GPs) looking to strengthen their cybersecurity. “If you don’t have the skills to do it in house, you can engage with third parties and find the right people specialised in this area and have them on a retainer to call in when you need them,” notes Smith.
Assessing the risk
Of late, private equity firms have been becoming more prescriptive in how their portfolio companies approach cybersecurity. “A PE firm builds a portfolio of different companies across different industries and sectors. There is often no baseline for the factors which might go into a cyber profile,” Smith outlines, “Therefore GPs are being stricter with how they expect their portfolio companies to manage their cyber risks and the infrastructure or processes they need to have in place.”
Although it may be hard to quantify, the cost of a breach is undoubtedly significant. Smith highlights: “To try to estimate the impact a breach can have on company valuations, the public markets can serve as a good proxy. Some metrics found a public company stock can drop as much as 11 percent in value following a cyber breach. In addition, such an event plays on people’s minds for a long time so the company is likely to experience a prolonged dip and a slow recovery. Portfolio companies could follow a similar trajectory if they are victims of a cyber attack.”
In addition to the valuation hit, the repercussions of the reputational damage caused by a cyber attack could be immense.
“The market cycle is a lot shorter now so a data breach at a company will be instantly in the news and spread on social media. This heightens the impact of such an event which makes damage control a lot more challenging,” Smith underscores.
In the context of the current market, where limited partners (LPs) have a lot more choice, this resonates even more.
“Since there are many investment opportunities bred by the market volatility, LPs are driven to invest in firms with proven track records and reputation plays a crucial role in that. In times of volatility, they want to put their money where they feel it’s safe,” says Smith.
A cyber attack can have a huge impact on a firm’s reputation and as a result, he believes the PE industry will see a lot more effort going into the due diligence process, with GPs carrying out full cyber assessments of a portfolio company before they invest in it.
“The penetration of cybersecurity programmes has increased in the past year. The shift to cloud-centric solutions has meant GPs began to re-certify and reclassify their cyber risks and how they’re securing their firm. This has led to significant interest and uptake of security programmes,” Smith observes.
He warns against considering cybersecurity as a tick-box exercise: “Cybersecurity isn’t something you can pick up and hold. There is a plethora of different things which play into it. The key to success here is strategy. It’s no good going out and buying products if you don’t understand how they can work together.”
Smith stresses the importance of cohesion: “You can buy a long list of products but without a strategy to pull them all together you could still fall victim to the biggest cyber breach ever.”
Working with an outsourced provider to assist with this can prove highly beneficial, especially for GPs still on the growth path. However, Smith says its crucial for firms like ECI to have a GP employee act as a cybersecurity sponsor: “This is the best relationship for us as we can work with that individual to identify the help they need and the gaps we can seek to fill. That internal sponsor can build trusted partnerships with experts and service providers to bolster the GP’s cybersecurity framework to outsource any elements they cannot fulfil directly themselves.”
These internal experts can also ensure the GP adheres to the strategy it set out for itself and is not overcome by the raft of cybersecurity products and solutions being brought to market. Smith highlights: “There are some great cyber products available at the moment, but GPs need to consider what they really need. This is where the relationship between the GP and the service provider comes into focus; we’ve worked with our clients to make sure that the business risk they’re exposed to warrants the additional span of security, so justifying any additional solutions is a huge part of our role as trusted partners to the industry.”
Jamie Smith, Director, International Technology, Eze Castle Integration
Jamie Smith is Director of International Technology at Eze Castle Integration. Jamie has over 15 years of IT experience specific to the hedge fund and alternative investment sector. Jamie served as head of technology for a financial-focused managed service provider where he helped drive the company’s growth and expansion from three to 70 employees. His experience also includes a six-year tenure on the technology team at global hedge fund and alternative asset manager, Och-Ziff Capital Management Group. With vast experience in technology bespoke to the alternative investment management space, Jamie is able to help Eze Castle Integration’s clients continue to leverage IT to achieve their strategic goals. Jamie attended University of Hertfordshire, where he studied Computing and Business. He also holds several industry specific certifications for technologies such as Microsoft, VMware, Citrix and Cisco.