Cyber-crime is not a question of ‘if’ but ‘when’

Recent SEC proposals on cybersecurity will mean private equity firms must improve how they address cyber-threats.

Last February, venture capital giant Sequoia Capital was forced to apologise to investors as their personal and financial information was accessed by a third party after an employee’s email was successfully phished. The 2020 cyberattack on Thoma Bravo and Silver Lake-backed software company SolarWinds triggered a much larger supply chain incident that affected thousands of organisations including the US government.

Investors are bearing the brunt of cyberattacks too. Cybersecurity breaches on LPs have risen significantly, a December report from Coller Capital found. Nearly one in 10 LPs have suffered a cybersecurity attack in the last five years – almost double the proportion since 2017. Fear of a cyberattack is also becoming more real, with around two-thirds of LPs expecting an attack on their own organisation at some point in the next five years and almost three-quarters also said they are likely to require cybersecurity risk assessments of their GPs’ management companies within the next few years.

In a timely move, KKR has recently added a global head of cyber for its portfolio companies as part of its long-term strategy to fortify its resilience to cyber-threats. The manager is stepping up cybersecurity efforts in the firm and its portfolio companies to “stay ahead of the game”, co-head of European private equity Mattia Caprioli told affiliate title Private Equity International, noting that cybersecurity is one of the biggest risks the industry faces.

“Everyone is thinking about security now”, says the head of Europe PE at a global investment firm. “That’s one of the big impacts from the [Ukraine] war – a focus on sovereign security, energy security and cyber.”

Cybersecurity is also drawing increasing attention from the US Securities and Exchange Commission. The regulator proposed rules for investment firms and advisers in February that outlines concrete cybersecurity policies and procedures including on risk assessment, information protection and response and recovery.

Cyberattacks for LPs and GPs could range from stolen data to attackers demanding ransom, as well as a loss of innovation and investment. Massive attacks last year on critical infrastructure company Colonial Pipeline and meat producer and supplier JBS are frightening examples of the millions of dollars at stake in ransomware attacks.

PE firms have not historically regarded cybersecurity evaluation as a high priority in deals, focusing instead on deal performance, according to report from EY. That has risen up the agenda as the quick transition to a remote workforce during the pandemic escalated information vulnerabilities and left businesses more exposed.

In fact, by 2025, cyber-crime is expected to cost businesses a whopping $10.5 trillion globally annually, according to research group Cybersecurity Ventures.

Firms have been betting big on cybersecurity deals – some $22.2 billion of cybersecurity buyouts were recorded in the first two quarters of last year alone, a 60 percent increase on the full-year figure in 2020, PitchBook data shows. Thoma Bravo, Bain Capital, KKR and Crosspoint Capital are among the sector’s busiest buyers.

As state-sponsored hacking becomes more opportunistic, more sophisticated and better organised, it’s a must for firms to take effective action now and have a playbook they can run – when the inevitable happens.

Carmela Mendoza is a senior reporter at affiliate title Private Equity International