Enhancing Valuations and Investor Trust with Cybersecurity Portfolio Oversight

With cyber threats and techniques continually evolving, the likelihood an organization small or large will experience a breach has increased significantly. In particular, the rise of ransomware-as-a-service means that huge numbers of unskilled attackers can monetize attacks on smaller organizations.

Indeed, smaller organizations have become the primary target for attacks due to having a reputation of poor cyber hygiene and attracting less media and law enforcement attention for hackers. A recent study found that 82% of ransomware attacks target organizations with fewer than 1,000 employees.

In private equity (PE), not only do breaches result in financial and operational losses to the targeted portfolio company (PortCo), but equally to the sponsors and investors. A watershed moment for recognition of cyber risk to PortCos was the 2021 ransomware attack that shut down privately held Colonial Pipeline Company. The attack resulted in millions of USD in losses to Colonial Pipeline Company. Widespread impact to pipeline customers also resulted in severe reputational risk to Colonial Pipeline and its owners.

Breaches, culminating in Colonial Pipeline, have focused private equity management on the cyber risk in their portfolios. At the same time, Limited Partners (LPs) have become focused on the cybersecurity practices at the fund level to ensure the security of their investments, putting more of an onus on PE firms to act.

How do firms address this cyber risk?

For several years PE firms have been dipping a toe in the water of cybersecurity oversight. In addition to the basic practice of pre-acquisition cyber due diligence, initial efforts taken by PE firms include bringing in outside consultants and vendors to PortCos with known cyber challenges and instituting minimum expectations for cybersecurity controls across the portfolio. Indeed, in 2022, 60% of firms polled by ACA reported to be actively engaging in some level of cyber oversight.

However, as reported in the Wall Street Journal, this initial level of oversight is no longer sufficient to protect investments from cyber threats or reassure investors. Instead, it has become imperative that PE firms institute a programmatic approach to portfolio oversight: oversight that is formally governed, applied consistently, and grows valuations.

Programmatic cybersecurity portfolio oversight will meet increased investor expectations for cyber as well as safeguard and grow the valuation of investments.

What is cybersecurity portfolio oversight?

What do we mean by cybersecurity portfolio oversight? While capital is invested, a PE, venture capital (VC), or hedge fund (HF) has a fiduciary responsibility to oversee risks to that investment. Depending on the firm’s investment thesis, it will likely also oversee and facilitate progress against a value-creation plan.

These oversight activities have not always formally included overseeing cybersecurity. However, over the past few years the industry has come to understand that cyber-attacks pose an existential risk to smaller companies, and possibly to the PE firm. Hence cybersecurity oversight has become imperative to avoid value destruction from cyber-attacks.

Cybersecurity portfolio oversight can create opportunities

The past 1-2 years have seen a sea change in the industry, with leaders recognizing opportunities for more than just downside risk management in their cybersecurity oversight.

The first opportunity is in value creation. While it’s understood that a poor showing in cyber diligence can negatively affect valuation, it’s less often considered that a documented track record of well-managed, audited cybersecurity efforts can improve a valuation and may even short circuit cyber diligence.

The second opportunity is in attracting capital from LPs. LPs are increasingly looking for effective cybersecurity oversight to be in place. Meanwhile, according to Pitchbook, fundraising has been trending down for 2 quarters and LPs are getting choosier with their investments. In this context, a programmatic approach to oversight that is designed for improved investor relations can pay for itself solely by converting or retaining 1-2 large investors.

How do you implement effective cybersecurity oversight?

ACA has helped more than 100 PE, venture capital (VC), and hedge funds (HFs) improve cybersecurity oversight of their investments. Based on our learnings from those interactions, we provide a path forward in our white paper and webcast.

Download our white paper to learn how to rebut common myths that stand in the way of firms’ adopting programmatic oversight. We then offer a framework for organizations to begin evolving their approach, enabling them to avoid value destruction, better compete for capital, and increase valuations.

Watch our webcast for a discussion on what a programmatic approach to cybersecurity oversight is, the benefits to this approach, and how ACA can help you adopt it.

How we help

ACA has helped more than 100 PE, venture capital (VC), and hedge funds (HFs) improve cybersecurity oversight of their investments. Our new portfolio oversight solution, ACA Vantage for Cyber, can provide ongoing visibility to monitor and oversee your portfolio companies’ cyber health, giving you control to navigate risk, add value, and gain a competitive advantage. Powered by ACA Aponix^®, ACA Vantage for Cyber combines our renowned advisory service with our award-winning regulatory technology, ComplianceAlpha^®, and our exclusive "RealRisk" risk assessment methodology. 

ACA Vantage for Cyber will help you to:

• Align your cybersecurity oversight program to investor needs by leveraging best practices developed working with over 100 private market (PM) firms on oversight 
• Save time with instant access to assessment results and the status of related remediation efforts 
• Keep stakeholders informed and direct resources where they are needed most 
• Uncover your firm’s risk from your investments from the fund level all the way down to individual cyber capabilities at individual portfolio companies. 

Contact us to find out how we can help you protect your portfolio. 

Contact us