Cybersecurity cannot be a onetime implementation exercise. It requires ongoing management, review and maintenance. And although there has been significant growth in private equity (PE) managers adopting cybersecurity software and solutions, there is still considerable progress to be made.
Cybersecurity cannot be a onetime implementation exercise. It requires ongoing management, review and maintenance. And although there has been significant growth in private equity (PE) managers adopting cybersecurity software and solutions, there is still considerable progress to be made.
“It is clear we’re still working within an industry that is learning about its own cyber needs and goals,” points out Jason Elmer (pictured), CEO and founder at Drawbridge, “We’re still in an education phase, which is some way from an industry-wide standard or optimal level.”
This is despite the firm having witnessed significant growth of its services in the PE space over the course of 2020.
Elmer stresses the importance of reflecting changes in the way people work within any cyber policies: “Policies need to be practical in their implementation. There is no point writing policies which are either unenforceable or unachievable by staff and systems.
“It is critical for firms to work through a baseline of policies early, and to do this while selecting and building their technology platforms. It can be unpleasant to be forced to re-evaluate the implementation of a platform because it doesn’t meet the expectations set out while drafting policies. Something as simple as a new password policy can be difficult to implement once everyone has already set their expectations.”
Early consideration of cybersecurity also matters for portfolio companies. Elmer advises: “It’s critical that cyber be addressed early and comprehensively for any portfolio company. The fund should set the standard within its business and for its portfolio. Cybersecurity always needs to be driven from the top down, so the manager is seen as the driving force.”
PE managers increasingly need to handle news media outlets which are keenly aware of the impact cyber attacks can have. In addition, they need to cope with the rise in regulations around disclosure of such events.
“The consequences of a successful cyber attack are more transparent than ever. A PE firm’s reputation can be damaged quickly. It’s not unusual to see PR firms being involved in the recovery from a cyber attack, alongside technical and cybersecurity firms. This obviously adds to the cost of said recovery,” Elmer outlines.
Another cost concern is return on investment (ROI). This can be approached in a few different methods for private equity. Elmer explains: “Traditionally, we would calculate the Annual Loss Expectancy (ALE) of particular threats if mitigation methods are not in place. In comparing ALE to the cost of mitigations, we’re able to drive a comparison of ROI for various technologies.
“However, ALE is hard to quantify when PE is involved since some of the losses are not straight outages to commerce but centre on reputation and opportunities in the marketplace. In these instances, relying on studies such as the CISA “Cost of a Cyber Incident” (October 26, 2020) can help align business sector and size to known incidents and create an average value of loss, per PE firm or portfolio company.”
He underscores that across a PE firm and its portfolio companies, often a combination of the two is applied, with ALE being computed on disruptions to commerce and average losses on service industries.
Jason Elmer, Founder & CEO, Drawbridge
Jason Elmer has more than 20 years of experience within the financial services space, specifically in providing fintech solutions to the banking community, hedge funds, and private equity managers. Jason has worked closely with clients across a variety of areas of their businesses, including establishing cybersecurity and operations infrastructures; completing risk assessments; selecting appropriate service providers; performing vendor due diligence reviews; and preparing for and dealing with regulatory examinations and operational due diligence reviews.
NEWSLETTER
Like this article?
SIGN UP NOW
Ongoing maintenance vital for successful cybersecurity
Cybersecurity cannot be a onetime implementation exercise. It requires ongoing management, review and maintenance. And although there has been significant growth in private equity (PE) managers adopting cybersecurity software and solutions, there is still considerable progress to be made.
Cybersecurity cannot be a onetime implementation exercise. It requires ongoing management, review and maintenance. And although there has been significant growth in private equity (PE) managers adopting cybersecurity software and solutions, there is still considerable progress to be made.
“It is clear we’re still working within an industry that is learning about its own cyber needs and goals,” points out Jason Elmer (pictured), CEO and founder at Drawbridge, “We’re still in an education phase, which is some way from an industry-wide standard or optimal level.”
This is despite the firm having witnessed significant growth of its services in the PE space over the course of 2020.
Elmer stresses the importance of reflecting changes in the way people work within any cyber policies: “Policies need to be practical in their implementation. There is no point writing policies which are either unenforceable or unachievable by staff and systems.
“It is critical for firms to work through a baseline of policies early, and to do this while selecting and building their technology platforms. It can be unpleasant to be forced to re-evaluate the implementation of a platform because it doesn’t meet the expectations set out while drafting policies. Something as simple as a new password policy can be difficult to implement once everyone has already set their expectations.”
Early consideration of cybersecurity also matters for portfolio companies. Elmer advises: “It’s critical that cyber be addressed early and comprehensively for any portfolio company. The fund should set the standard within its business and for its portfolio. Cybersecurity always needs to be driven from the top down, so the manager is seen as the driving force.”
PE managers increasingly need to handle news media outlets which are keenly aware of the impact cyber attacks can have. In addition, they need to cope with the rise in regulations around disclosure of such events.
“The consequences of a successful cyber attack are more transparent than ever. A PE firm’s reputation can be damaged quickly. It’s not unusual to see PR firms being involved in the recovery from a cyber attack, alongside technical and cybersecurity firms. This obviously adds to the cost of said recovery,” Elmer outlines.
Another cost concern is return on investment (ROI). This can be approached in a few different methods for private equity. Elmer explains: “Traditionally, we would calculate the Annual Loss Expectancy (ALE) of particular threats if mitigation methods are not in place. In comparing ALE to the cost of mitigations, we’re able to drive a comparison of ROI for various technologies.
“However, ALE is hard to quantify when PE is involved since some of the losses are not straight outages to commerce but centre on reputation and opportunities in the marketplace. In these instances, relying on studies such as the CISA “Cost of a Cyber Incident” (October 26, 2020) can help align business sector and size to known incidents and create an average value of loss, per PE firm or portfolio company.”
He underscores that across a PE firm and its portfolio companies, often a combination of the two is applied, with ALE being computed on disruptions to commerce and average losses on service industries.
Jason Elmer, Founder & CEO, Drawbridge
Jason Elmer has more than 20 years of experience within the financial services space, specifically in providing fintech solutions to the banking community, hedge funds, and private equity managers. Jason has worked closely with clients across a variety of areas of their businesses, including establishing cybersecurity and operations infrastructures; completing risk assessments; selecting appropriate service providers; performing vendor due diligence reviews; and preparing for and dealing with regulatory examinations and operational due diligence reviews.
Like this article? Sign up to our free newsletter
MOST POPULAR
Adenia Partners extends pan-African presence with Egypt expansion
Blue Owl Capital to acquire $2bn in consumer loans from Upstart
Ardian acquires a majority stake in Italy’s Vista Vision
Citi hires veteran investment banker to lead West Coast PE M&A
Moody’s reports higher default rates among PE-backed firms
FURTHER READING
UAE’s Lunate eyes $1bn HPS stake
Confidence on the up among UK dealmakers, says CIL
Renovus closes oversubscribed fund IV at $875m
TA makes majority investment in Solifi
Private lender HPS explores $10bn sale amid BlackRock interest
Featured
Moody’s reports higher default rates among PE-backed firms
KKR clashes with DOJ over deal disclosures
Private Equity Wire US Awards 2024 winners announced
Private Equity Wire Global ESG AAA Awards 2024 winners announced
Blue Owl spreads wings into data centre market with $1bn IPI Partners acquisition
Apollo to acquire aerospace parts maker Barnes Group in $3.6bn take-private deal