Managing portfolio cyber security

Thursday, 15 June, 2023

decorative: dinner table with glasses and plates on it

A few weeks ago, we brought together people from private capital to discuss cyber security in portfolios and how value creation steers it. This discussion was held under Chatham House rules.

We kickstarted the conversation by chatting a little bit about our work with private capital firms to keep their portfolio companies cyber-healthy. You can read more about our work and the approach that we created in our case study.

We then opened up the discussion about our work as well as cyber security within the private equity industry in general. Our guests shared their thoughts, and had the chance to learn directly from a client’s experience of working with Cydea.

The result was a list of common themes and insights into how thinking about cyber security at a portfolio level can be helpful for private equity firms. The list included useful nuggets, such as:

Channel your limited bandwidth

Portfolio Partners, Managing Directors, and value creation teams are forever juggling the large list of responsibilities on their shoulders. Cyber security can easily become overwhelming if they have to tackle every possible risk in every portfolio company. Therefore, a programme of activity that provides a focus and direction allows them to spend time on companies with the highest risk, without leaving more cyber-advanced companies to fend for themselves.

Foster productive conversations with Limited Partners and investors

Cyber risk is increasingly on the agenda for all investment participants. Reducing exposure is necessary at the individual company and portfolio level to manage investment risk, and therefore far more detailed conversations happening on the ground. General Partners and value creation teams are scrutinised more, and expected to lead the conversation in cyber. Having a high-level view of the portfolio, with remediation plans for any high risk assets, is valuable in steering those conversations.

Mitigate the lack of consistency

Unlike finance, there are no common ‘accounting standards’ for cyber security. Frameworks and certifications are becoming more commonplace, but there’s no single one or ‘magic bullet’ that will apply to every company in a portfolio. The simple mitigation is to conduct your own regular analysis to understand the strategies, governance and risk management being applied. Building capability in this way will drive the right adoption of security controls and solutions. Plus this can provide peace of mind, and a consistent overview of the portfolio’s risk. It can also be used to show improvement for the purposes of increasing future sale value - win win!

Create a personalised approach

Risk management programmes work best when they take into account the company’s unique characteristics, rather than trying to apply the same framework to all. Juggling the various characteristics of portfolio companies and creating remediation plans to bring them up to a similar level of cyber readiness can cause a (not insignificant) headache and effort. Tailoring cyber strategies to the needs of each yields better results and ownership of the improvements.

Have practical conversations, not scary audits

A co-operative regular exercise, rather than intensive audit, leads to better conversations. Keeping the cyber conversation practical and focused helps companies feel less criticised, and more supported. They are also then more likely to indicate if a near miss has occurred, allowing better prevention measures to be put into place.

Create the best defence for attacks that (unfortunately) will continue to happen

Finally, we heard about examples of attacks that targeted companies in the process of acquisition and surfaced after the deal was done. These have the potential to cause damage not just to the portfolio company, but also financial and reputational consequences for the fund. Threat actors have even been known to contact the news media to highlight their actions for most effect (and even get it wrong!) But it doesn’t have to be all scary. Open communication when it comes to managing security incidents and having clear playbooks and processes help to manage any fallout and recover in a confident, managed manner and mitigate significant damage.

Continue having positive conversations about cybersecurity

As all businesses become more reliant on technology, the dangers of being targeted build up. It is important to continue having positive conversations with your portfolio, and develop confidence that you are focusing on what is likely to affect you most, rather than trying to cover every potential ‘black swan’ event. Understanding posture and quantifying risk can provide that focus.

Join us next time

Huge thanks to all our participants for coming along and sharing their thoughts and experiences. This is the start of a series of these conversations, so if you are interested in participating in the future, drop Maggie an email: maggie.mutkovicova@cydea.com.

Photo by Nadia Valko from Unsplash