Home > News > Risk > Chief Information Officers Can Play a Role in Driving Private Equity Returns
Risk

Chief Information Officers Can Play a Role in Driving Private Equity Returns

Strong IT strategy can improve the returns of portfolio companies, says E78 Partners John Buccola.
By Matt Toledo



Investment firms have increasingly relied on technology services for security, making the role of the chief information officer or chief technology officer increasingly important. For investment firms, a strong information technology strategy can also help boost investment returns, according to John Buccola, chief technology officer of E78 Partners, which provides services to private equity backed firms in the middle market.

As IT security threats increase, and as generative AI becomes much more important, limited partners are asking private equity firms about the role of their chief information officers and “what that person can do to really impact the business,” Buccola says. 

Growth, Productivity and Optimization

According to Buccola, who has been a chief information officer at multiple PE-backed companies, private equity firms see higher returns when a chief information officer is fully empowered to drive IT strategy in a portfolio company. But first, a PE-backed company should have its data in order. “If there is an immaturity in data, it’s very difficult to overlay advanced technologies on top of that, it’s garbage in garbage out,” Buccola says. 

Want the latest institutional investment industry
news and insights? Sign up for CIO newsletters.

One way good IT strategy and AI can improve growth is by accelerating due diligence. Buccola notes that as an outsourced provider of CFO and fund administration services to the alternative investment industry, E78 has accelerated the due diligence process for PE-backed companies by using AI to review contracts and an organization’s strategy to make a decision more quickly than usual.

“I think prior to some of these technologies being available, that process would just take an inordinate amount of time and then you figure some things potentially are at risk with an asset” Buccola says, noting that traditionally, some risks are not found until a thorough due diligence process, risks that could be found much earlier if using AI. 

An example Buccola pointed to was if Company A wanted to acquire Company B, but it was not until later in the due diligence process that it was discovered that Company B’s commercial contracts were all expired. “How much time was spent getting to that stage before they were actually able to see oh gee, this is actually a problematic asset?” Buccola says, noting that AI tools can discover these types of risks earlier.

“’It’s really incumbent on any company, but especially private-equity-backed firms to really understand their digital strategy, to understand their posture to really do their homework and diligence before pulling the trigger on an acquisition,” Buccola says.

According to research from Bain & Company, many private equity firms are incorporating AI into their due diligence process, and they are also assessing AI risk in nearly every diligence process. Bain expects that this will be as routine in the diligence process as legal and commercial diligence. 

In another example, one of Buccola’s clients that runs retail stores was looking to expand regionally, in these cases AI tools could be used to quickly examine where the competitive forces are more pronounced, and where there is maybe some elasticity in demand. 

Lastly, strong IT strategy and AI can boost productivity for PE-backed organizations, according to Buccola. “Every organization should be thinking through and harnessing those technologies because they’re very, very, very simple to integrate into an information technology strategy.”

IT Needs and Threats to Private Equity Firms 

“Keeping an organization secure is top of mind, it’s table stakes for CTOs,” Buccola says. However, in the age of AI, security risks are becoming more and more sophisticated. “I think a lot of investors have become very aware of the opportunity that generative AI and machine learning presents to an organization and potentially the threats that that presents to an organization.”

Security risks are also becoming very personalized and targeted to specific people within organizations. A DocuSign phishing email might target a salesperson with a subject line related to a commissioning agreement, or an email to an operations manager related to client onboarding. These types of phishing emails are becoming more tailored to a role a person has, according to Buccola.

“It’s incumbent on the organization to keep pace with that and to put in an appropriate response and remediation to any of those potential exposures.”

Related Stories:

Strong Data Governance Can Lead to Higher Long-Term Returns

How and Why Higher-Quality Data Can Improve Investment Returns

Our Data, Ourselves

Tags: , , , ,

Home > News > Regulation > SEC Finalizes Reg S-P Data Security Rule
Regulation

SEC Finalizes Reg S-P Data Security Rule

Covered parties must inform customers of a data breach within 30 days.
By Paul Mulholland



The Securities and Exchange Commission finalized amendments to Regulation S-P on Thursday. The rule will require broker/dealers, registered advisers, investment companies and transfer agents to develop policies to protect customer data and to inform affected customers of a data breach within 30 days.

The updates to Reg S-P were first proposed in March 2023. Like the proposal, the final rule requires covered institutions to maintain written policies that are “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information,” and maintain an “incident response program.”

Covered parties must also “provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization.” This notification must take place “as soon as practicable, but not later than 30 days” from when the institution learned of the breach.

SEC Chairman Gary Gensler explained in a statement that the purpose of customer notification is to “help ensure that customers receive sufficient notice to take measures to protect themselves from harm that might result from the breach.” Under pre-existing rules, there is no mandate to inform customers of a breach, according to Gensler.

For more stories like this, sign up for the CIO Alert newsletter.

In the event reporting a breach to a customer could compromise national security or public safety, the attorney general may request a 30-day extension. The final rule said that the SEC would also consider additional delays. In response to commenters, the SEC indicated that it has created an interagency line for this purpose and guidance on how covered parties can request an exemption. It also clarified that local and state law enforcement can make such a request on their own behalf.

David Oliwenstein, a partner with Pillsbury Winthrop Shaw Pittman, says that covered parties must disclose a breach unless the party reasonably determines that there is minimal risk of “substantial harm or inconvenience” regarding sensitive customer information. He says that they will have to “apply a commonsense framework” since this phrase is not specifically defined.

Oliwenstein says the SEC will expect covered parties to have policies on employee training, network security, internal notifications, and the confirmation and classification of incidents. There will also be an “expectation from the regulators that registrants actually take measures to test the adequacy of their programs,” which can include the simulation of a breach to “see how folks respond internally, and identify weaknesses.”

Larger institutions will have 18 months to comply with the rule and smaller institutions will have 24 months from the effective date, which is 60 days after its entry in the Federal Register. The proposal initially provided for 12 months for both.

 

Tags: , , ,

«