“It’s open season on infrastructure,” Jeffrey Altman, senior advisor at Swiss consultancy Finadvice said during an early June interview. He was referring to the $4.4 million ransom that Colonial Pipeline paid hackers after a ransomware attack in early May led the largest refined products pipeline in the US to go offline for a week.
Altman did not know how quickly he would be proved right. Less than a month after the Colonial Pipeline attack, three more companies would fall victim to cyber-criminals over the course of a single week: meat processor JBS, the Steamship Authority in Massachusetts and clean energy company Invenergy.
Click here for the second part of our Deep Dive on cybersecurity to find out how regulators are containing the threat
Although the news of the attacks has been riveting, the events themselves should not have come as a surprise. There is plenty of data available that attests to the growing threat of cyberattacks.
In an advisory published last October, the US Department of Treasury, citing data from the Federal Bureau of Investigation, stated that there had been “a 37 percent annual increase in reported ransomware cases and a 147 percent annual increase in associated losses from 2018”.
For 2020, figures from McAfee’s latest threats report, published in April, also showed a steep increase in pandemic-related threats.
The company’s global network of more than one billion sensors detected 1,017,237 threats in Q3, a 140 percent increase on the second quarter. Yet although covid-19 fuelled an already upward trend in cyber-threats, the economic impact of the pandemic forced infrastructure investors’ attention elsewhere.
In our LP Perspectives 2021 Study, cybersecurity came seventh when LPs were asked to identify the factors they thought would have the greatest impact on their private markets portfolios’ performance over the following 12 months.
The top three concerns were a recession in core markets, the pandemic and extreme market valuations.
“It’s true that cybersecurity seems to be lower on [LPs’] agenda when conducting due diligence, when they ask questions compared to issues like ESG,” acknowledges Olivier Laroche, a partner at Paris-based InfraVia Capital Partners. “However, we’ve seen recently, during the due diligence process, that LPs are interested to learn about our digital roadmap, our approach to digital strategy and whether we’ve put dedicated resources in place – so questions you didn’t see two years ago are coming.”
“I think it’s safe to say until six months ago, that kind of risk wasn’t really understood and it was just chucked into an insurance policy”
Michael Asher, president at cybersecurity services provider Richard Fleischman & Associates, says part of the reason that companies – not just in infrastructure, but more widely – are being caught out is that the landscape has changed drastically and there is a skills gap.
“Ransomware is becoming a big business,” he says. “The only way we see it being mitigated efficiently is through the implementation and proper configuration of new technologies, including advanced threat detection for networking and endpoint assets, email threat detection, and systems supporting resiliency/availability for critical information systems, such as geographically diverse cloud platforms. That’s not a skill set that is widely available.”
A 2020 report by the EU Agency for Cybersecurity supports Asher’s observation. Cybersecurity Skills Development in the EU, indicated that roughly 291,000 job vacancies for cybersecurity professionals in Europe remained unfilled at the end of 2019. Aside from the skills gap, though perhaps related to it, is a lack of understanding of cyber-risk.
“Ransomware is becoming a big business. The only way we see it being mitigated efficiently is through the implementation and proper configuration of new technologies”
“I think it’s safe to say until six months ago, that kind of risk wasn’t really understood and it was just chucked into an insurance policy,” says Nathan Jones, director of cyber within Aon’s M&A and transaction solutions group in the EMEA region and the firm’s infrastructure lead. “It’s probably the only type of risk that historically hasn’t gone through any sort of risk cycle, in terms of exposing, understanding, mitigating, managing and then putting that residual risk that you just can’t do anything with into an insurance policy. Cyber seems to have bypassed that sort of risk loop and gone straight into risk transfer.”
He explains that it is becoming increasingly difficult to buy insurance coverage for cyber-risk “unless there is evidence of cyber due diligence having taken place”.
Greater diligence needed
According to Jones, companies would conduct IT due diligence and think that also included cyber due diligence. “But IT due diligence and cyber due diligence are two very different subjects,” he says.
Something else companies need to understand is that because cybercrime is an increasingly dynamic business, investing in static IT infrastructure can no longer be on a five-year basis – which, according to RFA’s Asher, was common in the past.
“You were looking at hardware depreciating over five years,” he says. “You need to understand that the fundamental approach of budgeting for the next five years and thinking what you did today will apply tomorrow, in three years’ and four years’ time, is no longer the correct approach.”
Asked whether strengthening cybersecurity is a matter of investing more capital, InfraVia’s Laroche replies: “Of course, there is the angle of the investment in tools, systems, in network security as well as our digital roadmap, which we plan with each of our companies and have validated at the board level.”
He says the types of tools InfraVia is investing in for itself and for each of its portfolio companies include authentication and authorisation management, distributed network security and endpoint security, “which is cover protection, detection and response.
“We’re seeing a number of investors increasingly embedding cyber in their governance framework”
“But there is also another angle, which relates to training your workforce – both for those who are on-site as well as those working remotely. Because the threats that emerge are very much linked to the apps people use daily and for very routine communications.”
Protection to value creation
As the focus on cybersecurity intensifies, it will become an increasingly important component of ESG.
“We’re seeing a number of investors – not just in the infrastructure space, but also the wider private equity space – increasingly embedding cyber in their governance framework,” says Edwin Charnaud, chairman of Aon’s M&A and transaction solutions group in EMEA.
“Some of our clients are even including their cybersecurity strategy, that we’ve helped them develop, within the ESG reports they’re providing to their LPs.”
Aside from assuring their LP clients that they have implemented the necessary cybersecurity measures, GPs will also need to do so as part of their exit strategy.
“What we’ve seen is that whenever an investment is made, due diligence is performed on the company and the price of that company is calculated based on risk,” RFA’s Asher says. “So, when you look at risk mitigation, now IT becomes a larger factor in those calculations.
“Once that’s done, once people understand that ‘the value of my company really depends on my cybersecurity posture and what I’m doing in terms of technology’, that will move the needle much quicker [than regulation].”
Asked whether the infrastructure investment industry is catching up quickly, Aon’s Jones replies: “Catching up? Yes. Quickly? Jury’s still out. Are we seeing more requests? Yes, 100 percent, almost on a weekly basis.”
With infrastructure an increasingly attractive target for cyber-criminals – according to Jones, these attacks require minimal input but have the maximum effect – this is not a threat that is going away anytime soon.
“Cybersecurity is infrastructure’s Achilles heel,” Altman told us in our June conversation. Unless infrastructure asset owners, managers and all relevant stakeholders step up their efforts quickly enough, he stands to be proved right a second time.
One manager’s virtual shield
“I’d say in the past four to five years we started being really proactive on [cybersecurity] when it was still a bit under the radar,” says InfraVia’s Olivier Laroche.
“And I think in 2020, covid has actually accelerated the risk related to cybersecurity and has also accelerated our approach and how we help our portfolio companies become more resilient.”
The firm has established the InfraVia Digital Forum, an “ecosystem” comprising the IT managers and senior management from its portfolio companies, the firm’s asset management team at the fund level, and external experts. Having this ecosystem in place has made it easier for the firm to respond to LP requests for information on specific threats that it has started to receive.
Since it launched its growth equity fund two years ago, InfraVia now has a team of 10 experts in B2B software and cybersecurity issues. “They actually invest in companies which provide cybersecurity solutions,” Laroche says.
The firm hired a third party to help it identify the vulnerabilities in each of its portfolio companies, provide the management teams with a diagnostic tool, which then enables InfraVia’s senior management to draw up an action plan and put it before the board for approval.
“The difficulty with private equity portfolio companies is that you have companies that are in very different sectors and at different levels of maturity,” Laroche explains. “They therefore need different tools.
“We’ve used a framework, mostly based on CIS 20, which is one of the US reference frameworks used to analyse cyber-threats, and we’ve done technical configuration testing, penetration testing. So we’ve explored our vulnerabilities in-depth.”