Myths About Cybersecurity Portfolio Oversight: Myth #4

Publish Date

Type

Article

Topics
  • Cybersecurity Resources
  • Cybersecurity
  • Portfolio Company Risk Management

With cyber threats and techniques continually evolving, the likelihood an organization small or large will experience a breach has increased significantly. In particular, the rise of ransomware-as-a-service means that huge numbers of unskilled attackers can monetize attacks on smaller organizations.

Indeed, smaller organizations have become the primary target for attacks due to having a reputation of poor cyber hygiene and attracting less media and law enforcement attention for hackers. A recent study found that 82% of ransomware attacks target organizations with fewer than 1,000 employees.

It has become imperative that private equity (PE) firms institute a “next level” of portfolio oversight: oversight that is formal, programmatic, and grows valuations. These more far-reaching cybersecurity portfolio oversight programs will meet increased investor expectations on cyber as well as safeguard and grow the valuation of investments.

In our experience, we regularly run into the same myths or misconceptions about the role of, and barriers to, building out a programmatic portfolio oversight capability.

In this series, we debunk some of the most common myths, providing your firm with the first step towards generating the necessary buy-in and funding for oversight.

Myth #4: Cyber oversight is (only) about downside risk management. 

Business and operational improvements have become a key value creation strategy for most firms. As the limits of financial engineering have become evident, investment theses have become more focused on the operations of PortCos as a means to improve valuations, especially now as deal flow has slowed. Despite this increased focus on operational improvements, many operating partners (OPs) still consider cyber oversight as a way to avoid value erosion, failing to exploit operational improvements in PortCo cybersecurity programs that can improve valuations.

A poor (or opaque) cybersecurity program is a bad reflection on PortCo management. It also calls into question the readiness of a PortCo to grow, either organically or through an acquisition. With exit valuations typically tied to the quality of management and the target’s further scalability, poor cyber programs will inevitably come back to bite OPs at exit. We have heard estimates as high as 3% impact on exit valuations when there are concerns about hidden cyber risks. Even if only 1 in 10 deals takes a 1% valuation hit, that works out to millions of dollars for many firms that they could be capturing with improved cyber oversight.

Conversely, a track record of well-managed, audited cybersecurity efforts can have a powerful effect on buyers. Comprehensive documentation of good practices shared in the data room may even short circuit cyber diligence.

A cyber oversight program is going to set us up for success as we continue to look to invest and exit investments. In the next 1-3 years, we’ll have dedicated programs, we’ll have defined road maps, the right governance in place, and be able to show success in the progress on our key initiatives. It’s going to position us well and give any potential buyers comfort that we’re methodically and strategically addressing cyber across the portfolio and on any particular investment as well.”

— ACA Aponix Private Equity Client


Download our white paper

cyber_white_paper_thumbnail

This myth is just one of several outlined in our white paper “4 Myths About Cybersecurity Portfolio Oversight.” Download here to learn more about the common myths that stand in the way of firms adopting programmatic oversight. We also offer a framework for organizations to begin evolving their approach, enabling them to avoid value destruction, better compete for capital, and increase valuations.

 

    You can read other myths in our series here:

    • Myth #1: Intervention in portfolio companies (PortCos) cyber programs is too burdensome on the PortCo.
    • Myth #2: Our firm already has a pretty good idea which PortCos need careful examination and/or assistance with cyber.
    • Myth #3: Investors don’t care and/or are satisfied with our current approach to cybersecurity. 

    Our guidance

    For several years PE firms have been dipping a toe in the water of cybersecurity portfolio oversight. In addition to the basic practice of pre-acquisition cyber due diligence, initial efforts taken by PE firms include bringing in outside consultants and vendors to PortCos with known cyber challenges and instituting minimum expectations for cybersecurity controls across the portfolio. Indeed, in 2022, 60% of firms polled by ACA reported to be actively engaging in some level of cyber oversight.

    However, as recently reported in the Wall Street Journal, this initial level of oversight is no longer sufficient to protect investments from cyber threats or reassure investors. Instead, it has become imperative that PE firms institute a programmatic approach to portfolio oversight: oversight that is formally governed, applied consistently, and grows valuations. Programmatic cybersecurity portfolio oversight will meet increased investor expectations for cyber as well as safeguard and grow the valuation of investments.

    Despite this pressure on PE firms, evolving cyber portfolio oversight to a programmatic approach is challenging. Most firms lack the cyber expertise, funding, buy-in, and/or understanding of what an oversight program should look like.

    How we help

    ACA has helped more than 100 PE, venture capital (VC), and hedge funds (HFs) improve cybersecurity oversight of their investments. Our new portfolio oversight solution, ACA Vantage for Cyber, can provide ongoing visibility to monitor and oversee your portfolio companies’ cyber health, giving you control to navigate risk, add value, and gain a competitive advantage. Powered by ACA Aponix®, ACA Vantage for Cyber combines our renowned advisory service with our award-winning regulatory technology, ComplianceAlpha®, and our exclusive "RealRisk" risk assessment methodology. 

    ACA Vantage for Cyber will help you to:

    • Align your cybersecurity oversight program to investor needs by leveraging best practices developed working with over 100 private market (PM) firms on oversight 
    • Save time with instant access to assessment results and the status of related remediation efforts 
    • Keep stakeholders informed and direct resources where they are needed most 
    • Uncover your firm’s risk from your investments from the fund level all the way down to individual cyber capabilities at individual portfolio companies. 

    Contact us to find out how we can help you protect your portfolio. 

    Contact us