Managing Risks in a Cybersecurity Portfolio Oversight Program

For several years, private equity (PE) firms have been dipping a toe in the water of cybersecurity oversight. In addition to the basic practice of pre-acquisition cyber due diligence, initial efforts taken by PE firms include bringing in outside consultants and vendors to portfolio companies (PortCos) with known cyber challenges and instituting minimum expectations for cybersecurity controls across the portfolio.

However, as reported in the Wall Street Journal, this initial level of oversight is no longer sufficient to protect investments from cyber threats or reassure investors.

A programmatic approach to cybersecurity portfolio oversight is recommended for a consistent approach to managing risk across the portfolio. This includes processes for monitoring, assessing, and responding to risks.

Risk management of the portfolio will vary by firm, as it should be rooted in a firm’s risk and investment strategy as well as reflect the operating context of its portfolio. Although there will be differing approaches, the following elements are consistent components of a programmatic approach to managing risks.

Security Baseline

Establishing a standard security baseline is a way for operating partners (OPs) to ensure all PortCos have a minimum set of controls in place. Ultimately, security decisions should be risk-based, but a minimum standard is a good starting point in portfolio oversight and helps newly acquired PortCos take quick action on key controls.

The security baseline should include policies, procedures, and controls expected of all PortCos, including cyber insurance expectations. These minimum standards should reflect common cybersecurity best practices, the industry(s) of PortCos, and the investment risk strategy.

Common security baselines applied across the portfolio often include requirements around the following control areas:

• Cyber insurance
• Multi-factor authentication (MFA)
• Anti-virus and firewall
• Employee training
• Incident response plans
• Penetration testing

It’s one thing to set a security baseline, however, it’s another for PortCos to execute and achieve it. Within a portfolio, companies can have vastly different cybersecurity programs and levels of maturity. While some large companies may already meet many of the expected security controls and/or have in-house IT and cybersecurity teams with the appropriate knowledgebase and resources to implement the security baseline, other companies may not have the appropriate resources to do so.

As such, a key part of setting the security baseline for OPs is helping PortCos implement and reach these targets. This may include providing additional funding, bringing in outside experts, and/or monitoring and tracking implementation progress.

Risk Framework

OPs need a consistent and easily digestible risk and control framework to effectively measure, manage, and report on cybersecurity risks across the portfolio. As many OPs do not have in-depth cybersecurity expertise, it is important that the framework is easy to use and understand so results can be articulated to investors, boards, and other relevant stakeholders. Likewise, the framework should also be flexible and scalable to companies’ varying operations, industries, regulatory requirements, and/or information security architecture.

Regardless of the framework, OPs want to ensure they are using the same framework for each of their PortCos to allow for cross portfolio comparisons and monitoring. There are many frameworks out there and OPs should take time to think through which framework makes sense for their company.

Risk Assessment

The evolving threat landscape and growing investor expectations has made regular risk assessments and monitoring of a portfolio essential components of any programmatic cybersecurity oversight program. Risk assessments not only help PortCos and OPs uncover where existing and new risks lie, but also help to develop a remediation plan to target identified vulnerabilities.

When conducting risk assessments of PortCos, it is important that OPs utilize the same framework and methodology, as it allows for cross portfolio comparisons and monitoring of any changes and/or progress towards remediation.

Likewise, utilizing a methodology which incorporates portfolio company characteristics, such as industry, regulatory environment, operational complexity, location, etc., as well as investment context is especially advantageous as it allows OPs to contextualize the findings and make more informed decisions regarding next steps for remediation activities.

Having a documented track record of both the risk assessments and remediation is critical for OPs to not only monitor remediation progress and newly arisen risks, but also to report to relevant stakeholders such as limited partners (LPs), investors, and the board.

Increasingly, investors are asking about the cybersecurity risk of PortCos. The ability to demonstrate an established assessment and subsequent remediation process can help meet these growing expectations.

Risk Readiness

Alongside regularly assessing risks, OPs need to have the ability to monitor and respond to the fast-changing cybersecurity landscape. This includes mechanisms to quickly assess the impact of new threats and vulnerabilities on each portfolio company and issue recommended action steps to affected PortCos quickly.

Due to the technical nature of this activity, many firms rely on outside help. Firms seeking external help should look for services that offer always-on monitoring of the cybersecurity threat landscape and experienced consultants that can provide tailored guidance on how to respond to new threats.

Download our white paper

Our latest white paper, Building a Value-Generating Cybersecurity Portfolio Oversight Program | A Guide to Protecting Your Investments and Growing Your Valuation, expands upon the concept of a programmatic approach and the key benefits of incorporating it into your cybersecurity oversight program. Download our comprehensive whitepaper to learn how to implement a programmatic cybersecurity oversight program in your firm.

Download

How we help

ACA’s new portfolio oversight solution, ACA Vantage for Cyber, can provide ongoing visibility to monitor and oversee your portfolio companies’ cyber health, giving you control to navigate risk, add value, and gain a competitive advantage. 

Powered by ACA Aponix^®, ACA Vantage for Cyber combines our renowned advisory service with our award-winning regulatory technology, ComplianceAlpha^®, and our exclusive "RealRisk" risk assessment methodology.

ACA Vantage for Cyber will help you to:

• Align your cybersecurity oversight program to investor needs by leveraging best practices developed working with over 100 PM firms on oversight.
• Save time with instant access to assessment results and the status of related remediation efforts.
• Keep stakeholders informed and direct resources where they are needed most.
• Uncover your firm’s risk from your investments from the fund level all the way down to individual cyber capabilities at individual portfolio companies.

Reach out to your ACA consultant or contact us to find out how we can help you protect your portfolio.