Recent cyber security breaches should have alerted private equity firms to the threats facing their portfolio companies, says Michael Corcione of Cordium.
Private equity firms may be aware of the growing number of cyber security and data protection regulations for financial services organisations – but how knowledgeable are they about the cyber risks that lurk within the diverse range of companies in their portfolios?
Cyber breaches and data security violations can have a very real impact on the value of a corporate holding. For example, search engine Yahoo was forced to reduce the sales price of its email and digital services to Verizon Communications from $4.83 billion to $4.48 billion as a result of two large cyber breaches in 2013 and 2014. Since the breach, dozens of lawsuits have been filed, and Yahoo is under investigation by regulators. The company recently announced that up to three billion people could have had their personal information compromised.
Cyber risk – and organisations’ exposure to it – is increasing. Recently, a number of high-profile organisations across a range of industries have disclosed that they have been subject to a cyber breach, and that data – personal and corporate – has been compromised. These include:
- Deloitte – the consulting firm announced at the end of September that details of its key corporate clients may have been accessed.
- Equifax – accounts of 145.5 million customers may have been accessed by hackers, including sensitive non-public information. The breach was disclosed in early September.
- Bupa – in July, the health insurance company announced that an employee had copied and taken away data connected to 547,000 international health insurance plan customers.
Many of these cyber security incidents – such as the Equifax breach – are potentially the result of organisations not having the efficient and effective policies, procedures and controls in place to help prevent a cyber attack turning into an actual loss event.
Operational risk – as well as the associated reputational risk – is transformed into an investment risk if the company that has a cyber breach or data protection incident happens to be owned by a private equity firm.
To protect revenue and preserve the value of their investment portfolio, it makes sense for private equity firms to ensure that the companies they have stakes in are not only compliant with industry rules, but are also applying good practices to properly manage the cyber risks and data protection threats they face.
The cyber security and data protection space is evolving very rapidly around the world. In the US, New York State has new cyber regulations for financial services firms, and other individual states are putting in place a range of new rules of their own. The federal government has a large cyber security program that will, very quickly, translate into new rules and practices across industries.
In the EU, the General Data Protection Regulation (GDPR) comes into force in May 2018, and it has extraterritorial impacts for firms that engage with EU-based clients. The EU is also kicking off a range of cyber risk initiatives that will also, ultimately, translate into new rules. On September 25, 2017, the Securities and Exchange Commission announced a new enforcement ‘Cyber Unit’ dedicated to cyber violations.
Cyber security and data protection are fast-moving areas – it’s important to ensure organisations have implemented the most recent requirements and best practices for their industry. A potential portfolio company – whether being acquired outright or as part of a merger or acquisition process – should have its cyber security and data protection policies, procedures and controls evaluated as part of the due diligence process. Existing portfolio companies, after an initial review, should also be assessed and evaluated every year, with policies and procedures updated.
Even if private equity firms are already doing this – and many are not – they can often struggle to then bring information about cyber risks from their disparate types of holdings together into one reporting framework, where risks, controls and other indicators can be compared on an apples-to-apples basis.
It can be difficult for private equity executives to accurately assess frameworks, policies, implementation, and approaches without having some kind of a unifying approach. Bringing this kind of methodology to cyber risk assessment across a whole portfolio of companies can bring significant benefits, including being able to understand the cyber risk of individual holdings relative to each other.
Private equity firms can also learn about best practices at the companies they hold, and share those practices across their portfolio.
In short, private equity firms need to ensure they have the capabilities to fully assess and manage cyber risks within their portfolio companies. To be able to do this could make the difference between a successful investment and one which suffers in value because of reputational risk, legal risk and regulatory sanctions.
Michael Corcione is managing director of cyber security and data protection at Cordium
©2018 funds europe