Three Eras of Cybersecurity Portfolio Oversight

Author

ACA Aponix

Publish Date

Type

Article

Topics
  • Cybersecurity

Private equity (PE) firms (as well as venture capital and hedge funds) have a fiduciary responsibility to oversee risks to capital invested in portfolio companies. Historically, cybersecurity risk has not been a major consideration of such oversight activities. Over the past several years, however, cybersecurity oversight has gained attention due to the evolving nature of the cybersecurity threat landscape. Today, 79% of firms polled by ACA have some sort of cybersecurity oversight in place.

Not only have cyber-attacks increased across industries, with a 38% increase in global attacks reported between 2021 and 2022, but the targets of such attacks have also broadened. Small and mid-sized organizations, which frequently feature in investment portfolios, are consistently targeted. About 82% of ransomware attacks, for example, target companies with fewer than 1,000 employees.

Attacks on portfolio companies present significant risks to PE firms. An attack can harm the reputation of both the portfolio company and the PE firm, and it can devalue investments to the detriment of investors. Due to the increased impact of cybersecurity on the overall risk landscape for PEs, investors are starting to ask what measures are being taking by sponsor firms to mitigate cybersecurity risks that could threaten investments.

Accordingly, firms are evolving their approach to cybersecurity oversight. Three eras of cybersecurity oversight can be roughly defined based on different approaches that have been adopted by firms. This article will review the evolution that has taken place and show how oversight must continue to develop to meet regulator and investor expectations.

Era I: Diligence-based cybersecurity oversight

Historically, investment firms have addressed cybersecurity merely as a facet of due diligence ahead of investment in a portfolio company. As shown in the graphic below, 21% of firms do not even regularly conduct pre-deal due diligence, and 17% of firms limit their cybersecurity oversight efforts to diligence activities.

Distribution of PE firms in 2023

Due diligence-based cybersecurity oversight is relatively low effort for firms to institute, and is sometimes premised on a perceived need to be less invasive towards portfolio companies. This impression, which persists even through our second era of portfolio oversight, ignores that most portfolio companies care about cybersecurity and are aware that they need help. This is especially true of smaller companies that lack the resources for well-developed cybersecurity programs without effective cybersecurity oversight from their operating partners.

In any case, pre-deal diligence alone is severely limited in scope and is significantly lacking in the level of risk understanding it provides to firms and investors. Specific companies are only assessed at a single point in time, which is insufficient for the dynamic nature of cyber threats. And even if a deal team performs effectively in finding cybersecurity issues ahead of a deal, there is no guarantee their findings will be actioned accordingly.

Era II: Ad-hoc approach to cybersecurity oversight

Recognizing the limitations of the diligence-based approach, firms have begun to conduct oversight activities post-acquisition. As seen in the below graph, some of the more common oversight activities include setting a minimum security baseline and conducting regular vulnerability scans, penetration tests, and risk assessments.

Types of Oversight

Of the firms surveyed by ACA, 52% are doing one or more of these activities.

However, most companies do not perform all of these activities, and when they are performed, they are not systematically applied across the portfolio. Firms tend to focus on some organizations deemed to be of higher inherent risk, however no organizations can really be considered at a low risk within the current cybersecurity threat landscape. This ad-hoc approach overlooks potential risks at other organizations that need focus.

Even firms which require a minimum baseline of security standards for all portfolio companies tend to assess their companies by using a list of basic controls against which their companies are occasionally surveyed. However, such basic controls cannot help against a growing number of aggressors that will exploit whatever weaknesses exist, and the occasional surveys used in these assessments result in point-in-time measures which are insufficient in the evolving space of cybersecurity.

The other limitation of Era II is that while it attempts to address downside risks, it ignores value creation opportunities from cybersecurity portfolio oversight. The inconsistent application of oversight activities associated with this approach can become a point of contention with investors, especially as stakeholders become more aware of cyber-risks. Failing to respond to investor expectations is detrimental to value creation for any portfolio company, and to the investment firm as a result. The lack of structured, consistent application of cybersecurity measures can also cause firms to miss out on the efficiencies and economies of scale offered by a systematic portfolio-wide approach.

A new Era: A programmatic approach to cybersecurity portfolio oversight

Firms seeking to better manage risk and create value are instituting programmatic approaches to their cybersecurity portfolio oversight. A programmatic approach is formally governed, applied consistently, and exploits opportunities to drive value creation for companies within an investment portfolio. In ACA’s experience, at most 10% of firms are doing this today.

Cyber Oversight Approach

ACA has identified 13 key elements for successful programmatic cybersecurity oversight of portfolio companies. There are several characteristics, described below, that set a programmatic approach apart from previous eras.

Because a programmatic approach requires the consistent application of oversight measures across a portfolio, firms must be able to assess the risk of every portfolio company on a regular basis, rather than at specific points in time or for a few specific companies. This engenders a better understanding of risk for the portfolio as a whole and allows firms to build the capability to quickly assess and respond to threats and vulnerabilities across the portfolio.

A deeper understanding of risk for each portfolio company allows for specific cybersecurity measures to be applied to companies as needed, providing significant flexibility while remaining consistent in the regular assessment of risk and implementation of measures across the portfolio.

Proper documentation of cybersecurity oversight for each portfolio company beyond diligence expectations can be used to improve valuations. The development of a process that will allow resources to be shared across portfolio companies – such as data and insights – further consolidates cybersecurity measures in the portfolio, and unifies acquired cybersecurity services to be applied across a portfolio. This allows firms to minimize costs by leveraging economies of scale.

A programmatic approach to cybersecurity oversight closes many of the gaps and limitations of previously employed approaches. Not only does it provide significant benefits in the form of value creation, it also allows firms to manage cybersecurity oversight for the entirety of their portfolio within an established framework and presents a more consistent working process for cybersecurity implementation and management.

Programmatic Approach

Click here to expand. 

This programmatic approach to oversight requires governance structures that can be a challenge to implement. Nevertheless, tools exist to aid firms in implementing effective programmatic cybersecurity oversight.

As cybersecurity continues to increase as a key factor in investment decisions, firms will be expected to pursue more extensive and efficient forms of oversight across their portfolios. With mounting pressure from various stakeholders, firms should seek to improve their approaches to cybersecurity oversight and consider implementing a programmatic approach.

How do you implement a programmatic approach to cybersecurity oversight?

ACA has helped more than 100 private equity, venture capital, and hedge fund firms improve cybersecurity oversight of their investments. Based on our learnings from those interactions, we provide a path forward in our white paper and webcast.

  • Download our white paper to learn how to rebut common myths that stand in the way of firms’ adopting programmatic oversight. We then offer a framework for organizations to begin evolving their approach, enabling them to avoid value destruction, better compete for capital, and increase valuations.
  • Watch our webcast for a discussion of what a programmatic approach to cybersecurity oversight is, the benefits to this approach, and how ACA can help you adopt it.

How we help

Our new portfolio oversight solution, ACA Vantage for Cyber, is the only cybersecurity product designed specifically for private equity, venture capital, and private debt portfolio oversight. With this solution, you get expert support to build an oversight program that is formally governed, applied consistently, and designed to grow valuations.

ACA Vantage for Cyber can provide ongoing visibility to monitor and oversee your portfolio companies’ cyber health, giving you control to navigate risk, add value, and gain a competitive advantage. Powered by ACA Aponix®, this solution combines our renowned advisory service with our award-winning regulatory technology, ComplianceAlpha®, and our exclusive "RealRisk" risk assessment methodology. 

ACA Vantage for Cyber will help you to:

  • Align your cybersecurity oversight program to investor needs by leveraging best practices developed working with over 100 firms on oversight 
  • Save time with instant access to assessment results and the status of related remediation efforts 
  • Keep stakeholders informed and direct resources where they are needed most 
  • Uncover your firm’s risk from your investments from the fund level all the way down to individual cyber capabilities at individual portfolio companies. 

Contact us to find out how we can help you protect your portfolio. 

Contact us