What’s the issue that most keeps chief finance officers and compliance executives awake at night? Cybersecurity and the worries about being hacked. “This is on the top of my list,” one finance chief told our 2017 CFO survey. “I am very concerned about phishing emails and other possible intrusions.”
With Equifax, FedEx, Uber and the UK’s National Health Service revealing last year that they had suffered massive data breaches as a result of cyberattacks, private equity executives are starting to face up to the reputational risk they may suffer if a portfolio company is targeted.
“Whether it be ‘fake CEO’ attacks or more structured hack-attacks, cyberattacks are happening with increasing frequency,” says Triton head of ESG Graeme Ardus. “We have seen a rising number against our portfolio companies. [The cyber-threat] is real and it’s a risk. We are very keen to make sure that we, as a firm, and our portfolio companies, have appropriate cybersecurity policies in place.”
While GPs recognise the consequences of a cyber-assault can be catastrophic resulting in – among damaging impacts – potentially punitive financial costs, operational disruption and reputational damage, they are also increasingly viewing robust cybersecurity as important to maintaining high environmental, social and governance standards.
“We see a cyber policy as part of the broader ESG agenda,” says Ardus, adding that the firm requires all its portfolio companies to implement a cyber policy, starting with a code of conduct. “As with all the mandatory elements of our ESG programme, it’s important to have the training to deliver the requirements of that policy.”
Worryingly less than half of the CFOs and operational executives that we surveyed said they felt well prepared to handle a cyberattack.
GPs often correctly frame cybersecurity as a business continuity issue, says Adam Black, Coller Capital head of ESG and sustainability, “but there is a recognition that if you get it wrong it can have ESG impacts, particularly on the G and S. Personal data security, for example, is an ESG issue”.
Lack of disclosure
As a marker of cybersecurity’s arrival on the ESG agenda, the Principles for Responsible Investment to which numerous GPs are signatories established a cybersecurity advisory committee at the end of 2016 to discuss the issue with stakeholders. The project was prompted by feedback from signatories who had identified cybersecurity as a key issue, says Vaishnavi Ravishankar, PRI governance issues manager.
The goals of the project, which focuses on cybersecurity as a feature of good governance, include upping disclosure around cyber issues, developing minimum standards and putting together a list of key questions to ask companies, says Ravishankar. These include who is responsible for the management of risk within companies and how the cyber strategy connects with the overall sustainability strategy. “At the moment, we are lacking disclosure. There isn’t too much information available for investors to understand what is in place to manage these risks,” she says.
And while the PRI initiative is currently concerned with listed entities in the financial, healthcare and consumer sectors, the project has the potential to expand to include private equity. “The material issues are the same,” says Ravishankar. “The nature of conversations you can have in PE are different [to public companies] and a lot of headway can be made here. PE firms see the opportunity as well as the downside risk.”
The emphasis on governance mirrors the evolution of an increasingly complex regulatory environment, which includes the enforcement of the EU General Data Protection Regulation in May. The GDPR will impose significant fines of €20 million or 4 percent of global annual turnover – whichever is higher – for failing to meet its stipulations governing the protection of personal information.
“A good chunk of GDPR compliance is underpinned by good cybersecurity,” says Alasdair Redmond, head of service delivery and technology at Intuitus, a specialist technology and IT advisor to European GPs.
The deadline also falls this year for enforcement of the first piece of EU-wide legislation on cybersecurity, the Directive on Security of Network and Information Systems, while the Regulation on Privacy and Electronic Communications, which replaces the e-Privacy Directive, is currently being drafted.
The increase in data protection and transparency-related regulation has raised awareness across the private equity industry of how much critical data every business has, whether it’s a healthcare business with patient records, or a B2B business with data that needs to be protected, says Ardus.
The impact of a breach can be massive. Equifax announced in September that criminals had hacked files containing the data of around 146 million US customers and 15.2 million records in the UK, leaving customers exposed to possible fraud. The credit reporting giant now faces an onslaught of regulatory scrutiny, including a Congressional hearing, a US Federal Trade Commission investigation and a UK Financial Conduct Authority inquiry.
But cybersecurity threats to ESG are not restricted to data theft or large corporates. A hack-attack on an oil pipeline, for instance, could result in environmental damage. An attack on a hospital facility could disrupt a network of medical devices, says Crosslake Technologies consultant Breen Liblong. The implications for patient health and safety are obvious.
Ardus agrees. “It doesn’t have to be customer data or a hack-attack on a request for payment. We have B2B businesses manufacturing and supplying components to others. Look at that risk. With the development of artificial intelligence, smart fridges can be used as bots, for example. This rightly raises peoples’ concern to make sure that this topic is adequately addressed.”
“Cybersecurity is a topic we are talking about more and more and is increasingly important to the subject of digital transformation, which is itself closely linked to ESG,” says Ardian head of corporate and investment responsibility Candice Brenet. “But it’s pretty new, and new for the deal teams too, which are interested in learning from our ESG consultants.”
To help GPs, Invest Europe is in the process of updating its ESG due diligence guidelines with a questionnaire that will include cybersecurity for the first time, says Ardus, who sits on the Invest Europe Responsible Investment Roundtable.
When the new guidelines are published, expected this quarter, it will include questions on whether companies have a cyber policy, and whether they have been victims of an attack. “This is an increasingly recognised pillar of the due diligence process, which I would say several years ago was absolutely not the case,” says Ardus.
In general, “cybersecurity is becoming a staple of IT and technical due diligence”, says Redmond, who has conducted cyber assessments on a number of private equity-owned businesses and GPs. “There is growing awareness among GPs as they look across their portfolio that it is not clear what the cyber risk profile is.”
At the same time, there is also growing pressure from LPs for GPs to consider cyber risks. While only 20 percent of LPs currently require GPs to undertake a cybersecurity risk assessment at the management company level, this is expected to rise to more than half in three-to-five years, according to the Coller Capital Global Private Equity Barometer published in June.
And while only 9 percent of LPs currently require managers to undertake a cyber assessment of their portfolio companies, that is expected to rise to 45 percent within five years, according to the Barometer.
“The GPs that we’re close to and share information with on cyber are looking at ways to engage with their portfolio companies in a meaningful way [including in terms of cyber from an ESG perspective], talking with consultants and peers in the industry,” says Black.
The impetus to collaborate is clear. As more companies promote cybersecurity and ESG credentials during vendor due diligence, a cyber intrusion poses not just a threat to business continuity but also a GP’s ability to achieve an optimal exit.
- View cybersecurity as a strategic issue
Cybersecurity is a business-wide concern, not an IT one. Crosslake Technologies consultant Breen Liblong advocates establishing cybersecurity as a standing agenda item at the board level. It is in the directors’ interests, he adds, as they could be liable in the case of an attack, says Alasdair Redmond, head of service delivery and technology and Intuitius: “If someone is appointed at the board [to take responsibility for cybersecurity] they start driving that culture throughout the organisation.”
2. Be aware of vulnerabilities
Whether it is risk of phishing, denial of service, privilege misuse, or point of sale intrusion –among a range of possible threats– businesses need to understand their weaknesses by undertaking a comprehensive security assessment. This includes testing infrastructure, applications, digital and network configuration and penetration testing. “All companies should do a security assessment even if it is light touch,” says Karl Keyte, Crosslake Technologies senior consultant.
3. Establish an emergency response plan
This includes designating an emergency response team, monitoring and assessing the impact of an attack, taking remedial action, alerting staff about an incident and communicating externally, as well as conducting a root cause analysis, says Keyte.
4. Remember that testing is only the first step
Test appliances and software regularly and review plans, including modelling, measurement points and intrusion detection systems. “Don’t do a security assessment, find a vulnerability and think you are done,” says Liblong.
5. Put awareness at top of agenda
All employees from the chief information security officer and down the management chain must be trained on cyber risks, best practice and procedures. “The human element is a significant factor in cyberattacks,” says Liblong.
6. Keep up to date with industry standards
“Organisations that have chosen to, or their customers have obliged them to, get certified are in the best shape,” says Keyte.