Pensions

How Private Equity Firms Can Protect ‘Treasure Trove’ From Digital Threats

With risks everywhere, responsibility for cybersecurity can be shared between financial services firms and their portfolio companies.
Reported by Matt Toledo

Art by Cinta Fosch

 


Cybersecurity risks are omnipresent. September’s hack of MGM Resorts International and Caesars Entertainment showed just how vulnerable companies can be, no matter how large or small.

Institutional asset owners and asset managers, and private equity firms especially, are uniquely positioned to be victims of cyberattacks, with “treasure troves of sensitive information,” as one technology manager put it, there for the taking. Any cybersecurity incident can have drastic consequences for the firms, their portfolio companies and their sensitive information.

Valuable Targets, Less Protection

In recent years, cyberattacks against financial services firms have increased. According to Deepwatch’s “2023 Threat Intelligence Report,” 23% of all cyberattacks targeted financial services firms. According to a recent Verizon data breach report, financial motives were behind 97% of all cyberattacks against the finance sector.

“Financial services firms are 300 times as likely as other companies to be targeted by a cyberattack, and 50% of these companies are at heightened risk of becoming a victim of ransomware,” according to insurance brokerage Lockton. Within financial services, private equity firms are especially rich in data.

“Private equity firms are particularly attractive to cybercriminals because, at their core, PE firms are treasure troves of sensitive information, storing sensitive details of their portfolio companies, upcoming deals and investment plans,” said Thomas Emmons, global chief technology officer and chief data officer at Accordion, a financial services consulting firm, in an emailed response. “This data, if misappropriated, can be leveraged for malicious pursuits, from insider trading to strategic business sabotage. Moreover, the sheer volume and value of financial transactions these firms manage presents another lucrative avenue for cyber hackers.”

According to Accenture’s private equity cybersecurity report, financial firms like private equity firms are often targets of cyberattacks because many of their portfolio companies lack any infrastructure to defend against them. This is particularly true for middle-market firms that may not have the resources to invest in defending digital threats.

Of Accenture’s private equity clients, 68% reported seeing cybersecurity incidents increase following the announcement of a deal, with incidents occurring 118% more often when a deal was closed.  According to Accenture, many private equity firms and their portfolio companies install fewer protections against online threats in order to prioritize growth.

The Accenture report highlighted examples of how some portfolio companies were negatively affected, such as a health care portfolio company that was the target of a data breach, exposing the personal information of 60,000 patients and employees.

In another case, an airline parts manufacturer in talks to be acquired by a fund was the victim of a ransomware group. The hackers shut down manufacturing plants in four countries and threw hundreds out of work. The result? The asking price for the company was cut by $150 million, and the acquisition was delayed by one year.

Middle-market private equity firms and their portfolio companies , because in their efforts to gain higher valuations, smaller firms might overlook cybersecurity protection, which can be costly and could be seen as a lower priority.

“Portfolio companies are typically midsize, resource-constrained and too often unable to adequately defend themselves against sophisticated threat actors who are increasingly focused on them.” According to a report from EY Parthenon by authors John Hauser, the company’s cyber due diligence leader, and Brian Levine, its managing director of cybersecurity and data privacy, strategy and transactions, who interviewed their private equity clients about cybersecurity risks.

Accordion’s Emmons pointed out that lack of investment is not the only reason private equity firms are such common targets.

“PE firms operate within a complex web of interactions, collaborating with numerous entities like banks, legal partners, and portfolio companies,” Emmons wrote. “Each interaction can serve as a potential opportunity point for cyberattacks.”

Digital Defenses Essential to Preserve Value

In the EY Parthenon report, “Why private equity cybersecurity is urgent now,” the authors interviewed Lúcia Soares, chief information officer and head of technology transformation for the Carlyle Group, and she addressed one of the conversations her firm has with portfolio companies.

“The increased frequency and impact of cybercrimes have been the driving force behind our efforts to educate and advise portfolio companies on the threats and mitigation strategies businesses can consider [to reduce] their cybersecurity risk and preserve the value of their technology investments.

Reducing risk means extensive due diligence. In putting together any deal, Benjamin Eason, managing director of cyber at Apollo, told the EY Parthenon report’s authors, “It starts with doing consistent, quality diligence.” Eason went on to say that both security fundamentals and aspects “unique to each deal and each business threat model” must be covered before a deal is finalized.

That is because it can happen to anybody. According to technology consulting firm Performance Improvement Partners, 25% of middle-market private equity firms will be the victim of a data breach.

“When a portfolio company falls victim to a breach, the private equity owner faces both direct and intangible costs,” the firm stated in a 2020 cybersecurity report. “In addition to the impact on earnings, money spent on post-incident mitigation has a negative impact on funds allocated to grow the business. The effects are long-lasting: According to IBM, one-third of data breach costs are incurred more than a year after it occurs.”

PE firms have taken several approaches to protecting their portfolios, but there are sometimes limitations; larger firms have more resources to invest.

Some private equity firms conduct tabletop simulations of cyberattacks against their portfolio companies. One major private equity firm conducts an annual “cyber simulation” exercise with all the hundreds of companies in the firm’s portfolio. Not all firms have the resources to conduct such exercises, but according to one firm that does, portfolio companies that had already invested in and presented cybersecurity plans to the board of directors performed 20% better in these exercises.

The most common way private equity firms protect themselves is to purchase insurance for their portfolio companies. One firm uses a group captive to bring multiple portfolio companies together and manage their digital risk collectively. Some private equity firms also hire outside cybersecurity firms to minimize threats.

“PE firms and their portfolio companies often face challenges, as they try to maximize profitability, to also invest enough to combat cyber risks such as ransomware, IP theft and stolen assets,” wrote Jonathan Ho, a partner in and cybersecurity research analyst at William Blair & Co., in an email. “We believe these companies struggle with the high costs of maintaining a cybersecurity infrastructure and the talent needed to operate them. We are seeing more trends toward using managed service providers or third parties to help secure organizations with enterprise-grade security at low cost. We believe having a comprehensive cybersecurity strategy, including risk mitigation and cyber insurance, [is] critical as well.”

Icebergs Ahead?

In the future, far greater risks could come for private equity firms. Cybersecurity experts see advances in natural language processing and generative artificial intelligence driving a rise in ransomware, according to a report from Wellington Management Co.

Most firms are doing their best to look ahead by increasing the role cybersecurity plays in their due diligence processes.

“We are seeing private equity firms making cybersecurity a core focus area during the diligence process, rather than deciding on a deal-by-deal basis if it should be included,” wrote Christina Powers, a partner in digital services firm West Monroe’s cybersecurity practice specializing in private equity, in an email. “We’re seeing the cyber scope tailored based on the target—where all targets should be evaluated for core cybersecurity maturity, environment-specific add-ons like product security or privacy are included to get those specific perspectives. Finally, we’re seeing private equity firms rally around the concept of ‘cyber non-negotiables,’ where they are defining, many times jointly with external advisers, what they want flagged as part of diligence and then actively tracked [after the] potential transaction to ensure implementation or coverage of those controls.”

One firm confirmed that cybersecurity risk is part of its due diligence process across all business units, not just in private equity, including a dedicated team that oversees cybersecurity for the firm’s portfolio companies. As the old saying goes, however, firms are only as strong as their weakest links.

“While some firms might have cutting-edge defenses, others may have gaps, making them attractive targets,” Accordion’s Emmons said.

 

Tags
Accenture, Accordion, Apollo, Benjamin Eason, Brian Levine, Christina Powers, cyber risk, Deepwatch, John Hauser, Jonathan Ho, Lúcia Soares, Performance Improvement Partners, Private Equity, Special Coverage: Cybersecurity, Thomas Emmons, Wellington Management Co., West Monroe, William Blair & Co.,