Governance in a Cybersecurity Portfolio Oversight Program
For several years private equity (PE) firms have been dipping a toe in the water of cybersecurity oversight. In addition to the basic practice of pre-acquisition cyber due diligence, initial efforts taken by PE firms include bringing in outside consultants and vendors to portfolio companies (PortCos) with known cyber challenges and instituting minimum expectations for cybersecurity controls across the portfolio.
However, as reported in the Wall Street Journal, this initial level of oversight is no longer sufficient to protect investments from cyber threats or reassure investors.
An effective cybersecurity oversight program should be formally governed by accountable individual(s) to ensure it meets investor and firm needs. Key activities include:
- Capturing stakeholder expectations and reporting on program performance
- Rightsizing the oversight program to investment and stakeholder expectations
- Integrating the cyber oversight program with other oversight and operational improvement efforts
Accountability
As firms recognize the importance of oversight, they must ensure someone is accountable for the program’s activities and progress. Depending on firm size, this may include role(s) responsible for cybersecurity in addition to their other responsibilities, or role(s) solely responsible for cybersecurity.
In many instances, those individual(s) responsible for cybersecurity portfolio oversight may not have cybersecurity expertise, which will require leaning on outside cybersecurity experts to build and manage the oversight program.
Regardless, someone within the firm should have the mandate for portfolio oversight. This ensures the cybersecurity oversight program reflects the investment strategy and investor needs, two things many outside experts may not be able to opine on.
Limited Partner Relations
Recognizing the high cost of data breaches, limited partners (LPs) are focusing more and more on cybersecurity practices at the portfolio level to ensure the security of their investments. LPs are demanding more reporting on cybersecurity metrics; according to a recent survey, 55% of LPs expect consistent reporting across the portfolio.
Similar to ESG issues, cybersecurity will continue to increase as a key factor in LPs’ investment decisions. Indeed, our clients tell us that LPs continue to ask more detailed questions regarding the controls that PortCos have in place.
While LPs have concerns about cybersecurity, they may not have the expertise to evaluate whether their oversight is adequate. Detailed technical reports and bespoke efforts for individual PortCos might make sense to a cybersecurity expert, but are unlikely to assuage investor concerns. One of the benefits of a programmatic approach is the ability to provide a simple, confidence-inspiring picture of cybersecurity protections across the portfolio.
Some of the keys to success here are a consistent approach across PortCos, measures and benchmarks that are comparable across companies, and formal governance of oversight efforts.
Given changing investor expectations, operating partners (OPs) need mechanisms in place to gather the desires and expectations of LPs around cybersecurity oversight to help inform strategy. Conducting surveys, informal interviews, or leveraging investor forums are a few ways in which firms can better understand and evaluate investor’s cybersecurity expectations.
An investor-focused oversight program not only ensures the program meets existing investor expectations, but it can also help to attract new investors as well. This is especially valuable as firms find it harder to attract and retain investors in the current economic environment.
Reporting
OPs need to have established processes to report on PortCos’ cybersecurity to managing partners, the board, investors, regulators, and other stakeholders. Reporting serves multiple purposes, including gaining buy-in and additional resources to support oversight initiatives, attract investors, and provide transparency into oversight activities across the portfolio.
However, many stakeholders likely will not have cybersecurity expertise, so it is important that reporting is simplified and easy to understand for non-technical audiences. Detailed technical reports and bespoke efforts for individual PortCos might make sense to a cybersecurity expert, but are unlikely to hold value or assuage stakeholder concerns.
A programmatic approach to cybersecurity oversight is designed to provide a simple, confidence-inspiring picture of cybersecurity protections across the portfolio. A consistent framework and methodology across PortCos allow, for comparable measures and benchmarks which simplifies and streamlines the reporting process for stakeholders.
Right-sized Oversight
While it may sound contradictory, part of taking a programmatic approach to cybersecurity portfolio oversight includes adjusting oversight intensity to individual PortCos. What distinguishes a programmatic approach is that the sizing of oversight is based on objective, articulated factors that indicate a PortCo’s need for oversight. The level of oversight intensity should be based on the size of the investment, the inherent risk, and lifecycle of PortCos. As these factors vary from PortCo to PortCo as well as fund to fund, oversight strategies will also differ.
Integrated Oversight
Finally, a cybersecurity oversight program should be integrated into broader oversight and value-creation oversight activities. Firms should look for synergies and integration opportunities across other oversight activities, such as financial, ESG, etc.
Beyond creating efficiencies, this allows OPs to tell a more complete story of risk to the portfolio to stakeholders. This can further help attract and retain investors as well as securing resources for further oversight investments.
Download our white paper
Our latest white paper, Building a Value-Generating Cybersecurity Portfolio Oversight Program | A Guide to Protecting Your Investments and Growing Your Valuation, discusses the concept of a programmatic approach to cybersecurity portfolio oversight and the key benefits of incorporating it into your cybersecurity oversight program. Download our comprehensive whitepaper to learn how to implement a programmatic cybersecurity oversight program in your firm.
How we help
ACA’s new portfolio oversight solution, ACA Vantage for Cyber, can provide ongoing visibility to monitor and oversee your portfolio companies’ cyber health, giving you control to navigate risk, add value, and gain a competitive advantage.
Powered by ACA Aponix®, ACA Vantage for Cyber combines our renowned advisory service with our award-winning regulatory technology, ComplianceAlpha®, and our exclusive "RealRisk" risk assessment methodology.
ACA Vantage for Cyber will help you to:
- Align your cybersecurity oversight program to investor needs by leveraging best practices developed working with over 100 PM firms on oversight.
- Save time with instant access to assessment results and the status of related remediation efforts.
- Keep stakeholders informed and direct resources where they are needed most.
- Uncover your firm’s risk from your investments from the fund level all the way down to individual cyber capabilities at individual portfolio companies.
Reach out to your ACA consultant, or contact us to find out how we can help you protect your portfolio.