By Paul Harragan, Associate Director, Cybersecurity, Operational Transaction Services, EY.
The days when cybersecurity was just one of many boxes to tick during the due diligence process are history. With digital permeating every facet of business, combined with the heightened political scrutiny of the treatment of data, the cost of weak cybersecurity has never been higher.
We had the chance to discuss this with leading private equity-backed CEOs and CFOs at the recent EY Private Equity Portfolio Forum.
The first thing to understand is that the risks are real, both for your company but also for your private equity investor and even their fund investors. The latter are particularly focused on the cybersecurity agenda as a sub-set of environmental, social and governance, given that many limited partners are exposed to reputational risk from a political perspective.
It also affects valuations. There can be a material change in the valuation of a company that is found to have a weak cybersecurity posture.
As a result, the issue has been creeping up on the agenda in due diligence processes, while a number of private equity firms are starting to introduce best cybersecurity practice across their portfolio, as a way of enhancing value as well as controlling risk. Over time, the market ecosystem tends to identify and assimilate best practice, and there is evidence to suggest this is happening to cybersecurity risk.
Here are our four top tips from the forum:
Hope for the best, plan for the worst
Hackers only need to succeed once. No technology solution is infallible, so it’s not enough to do a penetration test and say ‘job done’. The risk mitigation journey often takes time to complete and the results only give a view of that point in time, whilst threat actors continually evolve. The leadership mind-set should therefore be around having a crisis plan in place and access to an emergency incident response provider. How we react (good communications and fast action) can be the difference between a glitch and a catastrophe.
Embed cybersecurity diligence
We are starting to see a number of private equity firms, notably in the mid-market, embedding cybersecurity due diligence as part of their deal execution. The majority, who still treat it as an after-thought, will need to play catch-up. This isn’t unique to private equity – an EY survey found that just 4% of companies were confident that they had fully considered the cybersecurity considerations of their current strategy.
Make cybersecurity risk management cultural
Cybersecurity risk is as much a people risk as a technology risk. It should be a priority at every level of the corporate structure, from investors, boards and executives through to operations. Coaching the CFO or CEO to push down the importance of cybersecurity throughout the organisation, so everyone takes responsibility for it, and the teaching of how to identify and respond to potential threats, is essential.
Talk in business terms
It is possible to quantify the impact of cybersecurity on enterprise value, so make sure everyone knows what’s at stake, and talk about it in terms of business value.
Cybersecurity shouldn’t be expressed in jargon. Use plain English with the management team to ensure you have pragmatic conversations.
Delegation of cybersecurity risk to ‘someone in IT’ – a common historical model – can lead to a disconnect between the real business exposure of IT security and the executive team’s perception of what it is. Often, it will never have been articulated to the top table just what the company’s cybersecurity exposure actually is and its magnitude only becomes clear when it’s too late.
Companies and their investors need to remember that it is not illegal to be a victim of a cybersecurity related crime, be that either a data breach, unavailability of service or fraud. However, doing nothing is not an option. Making sure that you implement the correct measures to protect the business and its customer’s data is key. Having in place the procedures and processes to ensure cybersecurity risks are controlled and incidents are handled and reported responsively is more important than ever.