Six steps to mitigate the damage of a cybersecurity breach at a portfolio company
With cybersecurity threats and techniques continually evolving, small and medium size organizations, like many portfolio companies (PortCos), have increasingly become targets of attack, accounting for 43% of cyberattacks annually. Similarly, up to 82% of ransomware attacks have targeted companies with less than 1,000 employees.
PortCos can present an attractive target as they often have a reputation for immature cybersecurity programs and tend to have limited resources to respond to a breach. These cybersecurity incidents can have a devastating impact on a small company, ranging from the material damages associated with the incident to significant operational downtime that can damage customer relationships and the company’s reputation.
The risks faced by smaller PortCos can often be mitigated by proper private equity (PE) oversight, aiding sponsors in protecting their investments from being affected by cybersecurity threats that might otherwise negatively impact these companies. PE sponsors have a valuable role to play supporting PortCos as they develop and maintain strong cybersecurity programs and prepare to respond to potential cybersecurity incidents. PE firms should consider the following steps to help ensure their PortCos are prepared to effectively respond to a breach.
1. Develop and review incident response plans
An efficient and effective response to a cybersecurity incident requires a response plan that outlines roles and responsibilities as well as required action steps in the event of a cybersecurity incident. PE sponsors should ensure that portfolio companies have the proper expertise available to develop and maintain an appropriate Incident Response Plan (IRP). By ensuring PortCos have the proper internal personnel, or by aiding in the procurement of an appropriate vendor for this purpose, and by confirming that the IRP is periodically updated and reviewed by a cybersecurity expert, PEs can affirm PortCo readiness to effectively respond to incidents.
Additional considerations
An IRP should be developed and put in place before an incident occurs. PE sponsors should consider additional oversight into these efforts by:
- Working with PortCos to test IRPs with a third-party provider or cybersecurity expert to ensure the plan is effective and feasible.
- Sitting in on tests, such as tabletop exercises, to ensure the IRP aligns with business goals.
- Following up on test results to hold the PortCo accountable for closing any identified gaps.
2. Assign an incident commander
Coordinating a response to a cybersecurity breach can be challenging and further compromised by a lack of leadership. It is necessary that PE sponsors engage with the leadership of their PortCos, as well any existing security and IT teams, and ensure PortCos appoint an individual that can coordinate recovery efforts – an incident commander – who would need to be familiar with the organization, its business goals, and have great familiarity with the IRP. An effective incident commander should not only possess the necessary expertise to lead the response efforts, but should also have strong communication skills to engage with board members and other stakeholders. Depending on the available personnel, this individual can be an outside contractor, service provider, or an in-house operative at the fund level.
Additional considerations
PE sponsors should consider establishing an internal or external party responsible for overseeing and reporting on incident response developments. Sponsors should keep in mind that reporting on response developments should occur between the PortCo and sponsor during a cybersecurity incident as well as during the aftermath.
3. Establish communication channels and a communication strategy
Maintaining effective communication is key in the event of a cybersecurity incident. It is imperative that tasks and responsibilities be effectively communicated to the appropriate people for proper action to be taken, not to mention the need to determine what information is to be shared externally or kept internal to a company. Ineffective communication can lead to inefficient response tasks, resulting in a longer and disjointed recovery process and additional financial impact due to a slower recovery. Appropriately vetted information and effective communication with key stakeholders is paramount to prevent the loss of trust of investors and potential reputational damages.
PE sponsors should create and facilitate communication channels between incident commanders, the PE firm, and the board to keep stakeholders fully informed. This should involve the establishment of back-up communication channels in the event a cybersecurity incident disrupts existing channels, and consistent internal and external messaging so stakeholders are not contending with contradictory information.
Additional considerations
Communication channels should be defined as part of an incident response plan and should be established ahead of an incident. PE sponsors should also consider:
- Establishing communication templates for both internal and external communication, addressing specific types of incidents to keep messaging consistent and increase efficiency.
- Establishing access points to the IRP that are not dependent on company systems in case the incident is sufficiently disruptive, and those systems cannot be utilized.
- Alerting other PortCos in the event that threat actors might target other companies within the portfolio. (Threat actors often perform reconnaissance and can use information gained from one PortCo breach to identify additional targets).
4. Activate cyber insurance and forensic retainers
- PE sponsors should ensure that, in the event of an incident, PortCos activate their cyber insurance policy and any forensic retainers for support in investigation and recovery efforts to reduce the overall impact of the incident and reduce costs for recovery.
Additional considerationsPE sponsors should consider providing additional support during and after a cybersecurity incident. Sponsors should ensure that:
- Incident response vendors are identified to assist with investigation and recovery.
- Direct communication is established with cyber insurance, forensic, and response vendors.
- Insurance vendors are fully aligned with sponsor and PortCo needs and business strategies.
5. Appropriate additional funding
- PE sponsors have the responsibility to ensure portfolio companies have the necessary resources to respond to and recover from a cybersecurity incident. This includes ensuring a PortCo will have access to additional funds if needed and building processes for rapid approval of funding for assistance in recovery efforts of affected PortCos.
6. Commission an after-action study to evaluate response
Sponsors should always consider what can be learned from a cybersecurity incident and how impactful it was to a business. PE sponsors should ensure an after-action study is performed by an independent third party to quantify the impact of the incident.
Additional considerations
A cybersecurity incident, though undesirable, can serve as an opportunity for businesses to examine their practices and establish improved measures whenever possible. PE sponsors should ensure that by performing an after-action study they are able to:
- Share findings with all PortCos to ensure lessons learned are adopted across the portfolio.
- Implement baseline security requirements across the portfolio that align with findings in the report.
- Quantify losses resultant from the incident so the full impact can be measured and resources allocated accordingly.
How we help
ACA Vantage for Cyber, is the only cybersecurity product designed specifically for private equity, venture capital, and private debt portfolio oversight. With this solution, you get expert support to build an oversight program that is formally governed, applied consistently, and designed to grow valuations.
ACA Vantage for Cyber can provide ongoing visibility to monitor and oversee your portfolio companies’ cyber health, giving you control to navigate risk, add value, and gain a competitive advantage. Powered by ACA Aponix®, ACA Vantage for Cyber combines our renowned advisory service with our award-winning regulatory technology, ComplianceAlpha®, and our exclusive “RealRisk” risk assessment methodology.
ACA Vantage for Cyber can help you:
- Align your cybersecurity oversight program to investor needs by leveraging best practices developed working with over 100 private market firms on oversight
- Save time with instant access to assessment results and the status of related remediation efforts Keep stakeholders informed and direct resources where they are needed most
- Uncover your firm’s risk from your investments from the fund level all the way down to individual cyber capabilities at individual portfolio companies
Reach out to your ACA consultant, or contact us to find out how we can help protect your portfolio.