The Private Equity (PE) space faces the same risk of cyber-attacks as other industries, and firms have spent the last several years investing and making progress to protect themselves against continuously evolving cyber threats.
While they may have buttressed their own defences, PE managers now recognise that their portfolio companies are perhaps even more attractive targets for cyber breaches. Why? Because too often, these companies operate with far less focus on managing their holistic cyber risk than their PE owners, and lack the staff, knowledge, and access to premier solutions to ensure their cyber security.
Bad actors often begin with an easy-to-breach company, using it as a gateway into the actual target company that is sometimes one or even two layers removed. Any lack of security at portfolio companies can leave doorways open into PE firms’ environments and data, exposing firms to unnecessary and avoidable risks.
PE firms have traditionally relied upon Managed Service Providers (MSPs) to monitor cyber risk for their portfolio companies. Many of these providers used point-in-time scanning (e.g., penetration tests monthly, quarterly, or annually) to evaluate potential flaws. With recent hacks such as Kaseya, we have been reminded that cyber threats change by the day. This rapidly evolving risk landscape has given rise to—and demands—a new model of resilience via continuous risk management.
Unlike point-in-time scanning, the continuous monitoring model deploys ongoing vendor connectivity reviews, network testing, and endpoint monitoring to enhance firms’ lines of defence against cyber intrusions. Continuous risk scanning also enables firms to detect and mitigate vulnerabilities that may emerge as a result of the constant evolution of the enterprise technology stack, and to do so in real-time. This type of active and continuous risk management allows managers to better protect their firms against cyber risk, while raising employee awareness and vigilance.
PE firms now realise the risk mitigation process can no longer be a point-in-time exercise. The evolving cyber risk landscape requires firms to have active and continuous risk mitigation solutions and reporting in place, which means they need more than merely adequate technical and logical controls. They must institute cyber programs that are tested using real world scenarios so they have a clear picture of how the organisation would defend against and respond to an incident. This type of access to real-time cyber risk monitoring is the only thing that will enable firms to protect their most sensitive data and safeguard against internal and external threats, today and into the future. 
Jason Elmer, Co-President, Financial Services and Founder, Drawbridge
As the Founder and CEO of Drawbridge, Jason Elmer is responsible for leading the firm’s day-to-day operations, expanding its geographic footprint, and overseeing the continued global market expansion of its cybersecurity software and services. Elmer has more than 20 years of experience providing FinTech solutions to the alternative investment industry. Before Drawbridge, he served as a Managing Director at Duff & Phelps, where he founded and led the Cybersecurity Services team, working with alternative investment managers across the globe. Prior to that, he was a Partner at Abacus Group
