Cyber resilience core to safeguarding investment value
The warning by the Bank of England's Financial Policy Committee last month that financial firms in the UK are underestimating the threat of cybercrime, coupled with recent high-profile blow-by-blow media accounts of companies under attack, are set to keep cyber resilience firmly on corporate governance agendas. For private equity firms, such risks pose fundamental challenges. Cyber attacks have a significant impact on victims, with some 60% of small firms forced to close within six months of an attack, according to the US National Cyber Security Alliance.
Given the potentially devastating impact of a cyber attack, cyber resilience must be a fundamental part of assessing the value of an investment and must be reviewed alongside the financial and strategic strengths of a prospective investment target. A pre-deal due diligence assessment must identify any underlying cyber vulnerabilities, to avoid undermining future goals and protect the value of the investment itself. Leaving this kind of assessment until after a deal is complete is a very significant mistake. Even if security problems are promptly discovered after a deal is complete, fixing IT systems can be extremely expensive, which can result in unexpected calls for additional funding, often running into millions of dollars.
A security assessment must be conducted in tandem with the financial and legal due diligence. The process should start with a wide-ranging security review, carried out by an external third party. It is crucially important for investors to avoid the all-too-common pitfall of treating the security review as checklist audit of security systems. Such an IT audit often does nothing more than confirm that a company meets a certain predefined security standard, which has proven time and again to be insufficient to prevent actual cyber attacks. Though standards are important, it is worth keeping in mind that almost every high-profile breach in the recent past occurred after the corporates had passed their IT audit and been certified as compliant with the relevant security standard. Instead, a security assessment must by a customised and risk-focused review, aimed at understanding the actual risks a particular company faces, and identifying ways to mitigate those risks.
In addition to identifying security gaps in hardware and software used by a company, a security review will determine the extent to which security is seen as a companywide priority. Investors must ensure that security systems not only include the proper firewalls, passwords and encryption, but also that security has been made a priority across the company. Everyone involved in using the IT systems has a crucial role to play. Thus, an important part of good security is ensuring that employees are knowledgeable about their role in protecting company data. Education is not only useful to ensure compliance with security standards, it is also critical that users do not become the weak link in the security chain. Individuals must be taught to be vigilant about such email attacks, which will make it more difficult for attackers to catch someone unaware. Users also need to understand what to do if they suspect a problem after they click on a suspicious link or open a mysterious file.
Careless executives or employees represent a significant risk to cyber security, according to a poll of US companies. The Stroz Friedberg 'On the Pulse: Information Security Risk in American Business' survey found that a key challenge for companies is to strengthen cyber security from within, with 87% of senior managers regularly using personal email or cloud account to work remotely, placing such information at a much greater risk of being breached. The survey also found that more than half (58%) of senior management reported having accidentally sent the wrong person sensitive information, compared to just one quarter of workers overall.
A security review must also ensure that a company has a response plan in place to deal with a hacking. Long gone are the days when any company can assume that good firewalls and other security infrastructure can keep out attackers. All companies must assume that attacks will happen despite their best efforts. A detailed response plan can greatly mitigate the danger of such an attack.
Additionally, investors must be aware that an organisation's ability to withstand a cyber attack will change over time. Firms should, therefore, work with their operating companies to periodically review cyber security. As these companies evolve their IT systems and operational risks, also change.
Finally, investors should remember that it is not only their operating companies that hold valuable data. Investment companies do too. Private equity firms are themselves targets of cyber criminals, making a security assessment of the private equity firm as important as the review of security for prospective and existing operating companies.
With a statutory and regulatory duty to safeguard valuable and sensitive data held on investors, operating companies, investment strategies and their own operations, the impact could be significant, should such information come into the wrong hands. COOs must, therefore, work with their senior teams to develop strategies that allow regular reviews of cyber resilience. Such assessments should reflect the approach and principles introduced as part of the investee cyber security due diligence processes, while reflecting firms' own day-to-day operations. Just as with investee companies, private equity firms' own staff must understand the rationale behind IT policies, which will help avoid individuals bypassing or undermining these rules and, inadvertently, creating new vulnerabilities.
Senior executives are increasingly recognising the importance of safeguarding systems and sensitive data as fundamental elements of good corporate governance. However, as recent events have demonstrated, there is some way to go before such objectives may be met. In the meantime, private equity firms must take steps to better understand the resilience of their own portfolios, by seeking greater clarity and insight of primary risk areas facing individual operating companies and the steps taken by their senior teams to address such vulnerabilities.
Seth Berman is executive managing director of Stroz Friedberg, an investigations, intelligence and risk management company. www.strozfriedberg.com