Creating Value in a Cybersecurity Portfolio Oversight Program
For several years private equity (PE) firms have been dipping a toe in the water of cybersecurity oversight. In addition to the basic practice of pre-acquisition cyber due diligence, initial efforts taken by PE firms include bringing in outside consultants and vendors to portfolio companies (PortCos) with known cyber challenges and instituting minimum expectations for cybersecurity controls across the portfolio.
However, as reported in the Wall Street Journal, this initial level of oversight is no longer sufficient to protect investments from cyber threats or reassure investors.
A programmatic approach to cybersecurity portfolio oversight not only focuses on traditional downside risk management activities, but also on value creation opportunities.
Like other operational improvement activities, a well-documented track record of cybersecurity portfolio oversight can attract investors and grow valuations. Likewise, pooling and sharing resources from across the portfolio also creates opportunities to streamline costs and share best practices.
Improving Valuations
Cybersecurity oversight is more than a way to manage downside risks - it’s also an opportunity to improve valuations at exit through operational improvements. A poor (or opaque) cybersecurity program is a bad reflection on PortCo management. It also calls into question the readiness of a PortCo to grow, either organically or through an acquisition.
With exit valuations typically tied to the quality of management and the target’s further scalability, poor cybersecurity programs will inevitably come back to bite operating partners (OPs) at exit. We have heard estimates as high as 3% impact on exit valuations when there are concerns about hidden cybersecurity risks.
Even if only 1 in 10 deals takes a 1% valuation hit, that works out to millions of dollars for many firms that could be captured with improved cybersecurity oversight. Being able to demonstrate a documented track record of well-managed, audited cybersecurity efforts can have a powerful effect on buyers.
Economies of Scale
Another way programmatic approaches to cybersecurity portfolio oversight can create value is by looking for opportunities to leverage economies of scale to lower cybersecurity expenses for PortCos. Sharing services and/or coordinating purchases of new products are a few ways OPs can trim costs. This allows for opportunities to purchase these services at a discounted rate and eliminate service or product redundancies across the portfolio.
Products or services that are common to share across the portfolio include, but are not limited to:
- Managed Service Providers (MSP) and/or Managed Security Service Providers (MSSP)
- Cybersecurity insurers / brokers
- Cybersecurity consultants
- Incident response firms
- Security information and event management (SIEM) software solutions
- Extended detection and response (XDR) software solutions
- Antivirus or malware
- Managed detection and response (MDR) software Solutions
PortCo Support
Another way OPs can create value across the portfolio is by sharing aggregated data and insights. Leveraging data, insights, and benchmarks collected across the portfolio can help individual PortCos improve their cybersecurity programs and right-size their investments. For example, having data on cyber insurance coverage limits by revenue and industry could help PortCos assess whether their coverage is too high or low.
Likewise, hosting forums for PortCos to share cybersecurity best practices and learn from one another is a great way to pool resources to create value. With PortCos at varying levels of maturity, this is a great opportunity to socialize cybersecurity oversight and support PortCos with less mature cybersecurity programs. Often, PortCos are eager to improve their cybersecurity posture but are often unsure how to begin. Being able to hear directly from other companies in similar positions is a great way to build morale and support for cybersecurity improvements.
Leadership Support
Running an effective cybersecurity portfolio oversight program requires investment from the board and managing partners at the PE firm. To secure this investment, OPs need to be able to demonstrate the value-add of conducting portfolio oversight. This not only includes the benefits of downside risk management, but also the value creation opportunities of leveraging economies of scale and operational improvements upon exit.
To gain leadership support requires having regular conversations with stakeholders to socialize the connection between cybersecurity portfolio oversight and portfolio valuation. Being able to support these conversations with a track record of program success and improvements is a key way to gain leadership buy-in. Likewise, bringing in outside experts, with experience building and supporting portfolio oversight programs, is another way to socialize the board and senior leadership.
Download our white paper
Our latest white paper, Building a Value-Generating Cybersecurity Portfolio Oversight Program | A Guide to Protecting Your Investments and Growing Your Valuation, expands upon the concept of a programmatic approach to cybersecurity portfolio oversight and the key benefits of incorporating it into your cybersecurity oversight program. Download our comprehensive whitepaper to learn how to implement a programmatic cybersecurity oversight program in your firm.
How we help
ACA’s new portfolio oversight solution, ACA Vantage for Cyber, can provide ongoing visibility to monitor and oversee your portfolio companies’ cyber health, giving you control to navigate risk, add value, and gain a competitive advantage.
Powered by ACA Aponix®, ACA Vantage for Cyber combines our renowned advisory service with our award-winning regulatory technology, ComplianceAlpha®, and our exclusive "RealRisk" risk assessment methodology.
ACA Vantage for Cyber will help you to:
- Align your cybersecurity oversight program to investor needs by leveraging best practices developed working with over 100 PM firms on oversight.
- Save time with instant access to assessment results and the status of related remediation efforts.
- Keep stakeholders informed and direct resources where they are needed most.
- Uncover your firm’s risk from your investments from the fund level all the way down to individual cyber capabilities at individual portfolio companies.
Reach out to your ACA consultant, or contact us to find out how we can help you protect your portfolio.