Ongoing maintenance vital for successful cybersecurity
Cybersecurity cannot be a onetime implementation exercise. It requires ongoing management, review and maintenance. And although there has been significant growth in private equity (PE) managers adopting cybersecurity software and solutions, there is still considerable progress to be made.
“It is clear we’re still working within an industry that is learning about its own cyber needs and goals,” points out Jason Elmer (pictured), CEO and founder at Drawbridge, “We’re still in an education phase, which is some way from an industry-wide standard or optimal level.”
This is despite the firm having witnessed significant growth of its services in the PE space over the course of 2020.
Elmer stresses the importance of reflecting changes in the way people work within any cyber policies: “Policies need to be practical in their implementation. There is no point writing policies which are either unenforceable or unachievable by staff and systems.
“It is critical for firms to work through a baseline of policies early, and to do this while selecting and building their technology platforms. It can be unpleasant to be forced to re-evaluate the implementation of a platform because it doesn’t meet the expectations set out while drafting policies. Something as simple as a new password policy can be difficult to implement once everyone has already set their expectations.”
Early consideration of cybersecurity also matters for portfolio companies. Elmer advises: “It’s critical that cyber be addressed early and comprehensively for any portfolio company. The fund should set the standard within its business and for its portfolio. Cybersecurity always needs to be driven from the top down, so the manager is seen as the driving force.”
PE managers increasingly need to handle news media outlets which are keenly aware of the impact cyber attacks can have. In addition, they need to cope with the rise in regulations around disclosure of such events.
“The consequences of a successful cyber attack are more transparent than ever. A PE firm’s reputation can be damaged quickly. It’s not unusual to see PR firms being involved in the recovery from a cyber attack, alongside technical and cybersecurity firms. This obviously adds to the cost of said recovery,” Elmer outlines.
Another cost concern is return on investment (ROI). This can be approached in a few different methods for private equity. Elmer explains: “Traditionally, we would calculate the Annual Loss Expectancy (ALE) of particular threats if mitigation methods are not in place. In comparing ALE to the cost of mitigations, we’re able to drive a comparison of ROI for various technologies.
“However, ALE is hard to quantify when PE is involved since some of the losses are not straight outages to commerce but centre on reputation and opportunities in the marketplace. In these instances, relying on studies such as the CISA “Cost of a Cyber Incident” (October 26, 2020) can help align business sector and size to known incidents and create an average value of loss, per PE firm or portfolio company.”
He underscores that across a PE firm and its portfolio companies, often a combination of the two is applied, with ALE being computed on disruptions to commerce and average losses on service industries.
Jason Elmer, Founder & CEO, Drawbridge
Jason Elmer has more than 20 years of experience within the financial services space, specifically in providing fintech solutions to the banking community, hedge funds, and private equity managers. Jason has worked closely with clients across a variety of areas of their businesses, including establishing cybersecurity and operations infrastructures; completing risk assessments; selecting appropriate service providers; performing vendor due diligence reviews; and preparing for and dealing with regulatory examinations and operational due diligence reviews.