On October 6, 2020, ACA Aponix held a panel discussion about portfolio company risk management at our Cyber Week Virtual Conference. The session featured panelists from leading Private Equity (PE) firms who have worked with ACA to deploy strategic portfolio company risk management programs and included participants from over 200 firms.
Areas of focus for the discussion included:
- Portfolio company (portco) risks are growing and mutating
- Attackers are targeting portfolio companies, especially small and mid-size firms
- Key consideration and lessons learn when establishing strategic portfolio company risk management
Let’s break these topics down.
Portco Risk on the Rise
With the increasing number of cybersecurity attacks targeting portcos and the resulting impact on investment value, the U.S. Securities and Exchange Commission (SEC) along with Limited Partner (LP) and General Partner (GP) internal risk functions have increased their focus on cybersecurity and privacy risk management oversight. In our work with clients, we are seeing an increase in attacks targeting portcos, possibly because they tend to be small to mid-size businesses with nascent cybersecurity programs in place. PE firms are specifically at risk of business email compromise and wire transfer fraud.
COVID-19 has only exacerbated cybersecurity challenges as we work from less secure networks at home and IT resources are being stretched thin as companies attempt to support rapidly changing business needs. Adding to that risk, portco management's time is more limited than ever as they work to navigate the increased cybersecurity risks and the evolving challenges of the pandemic – a phenomenon ACA calls RiskMutation™. As a result of these challenges, private equity firms require a risk management oversight approach that is efficient, minimizes impact on management, and provides enough fidelity into the unique cybersecurity risks across the portfolio to drive change where needed.
When we polled our webcast audience about their current approach to risk management, we found the following patterns:
83% of firms consider portco cybersecurity risk a top 5 risk, but over 40% have not yet implemented formal practices to oversee cybersecurity risk management at their investments. Many firms are still struggling to get the necessary buy-in from the operating partners and establish expectations from their portcos, often citing cultural concerns about mandating an onerous program.
It was also interesting to see that over 70% of those responding had received questions from their LPs about managing cybersecurity risks.
PE leaders report that limited resources and bandwidth add to the problem. Lack of IT support, deficient network monitoring, and outdated corporate policies continue to stymie efforts at risk prevention.
While a general SEC directive from 2015 indicated that cybersecurity is a responsibility that must be addressed by the board, and polling from the session indicates that 77% consider cybersecurity to be a major concern, the level of active interest from LPs is quite small. 38% of respondents indicated that less than 25% of LPs have actively asked about cybersecurity practices at investments.
Adding to the stress for the general PE leader is a frequent lack of awareness of risk at the individual portcos in their portfolios. Whether thinking “we are too small to be attacked” or just not considering it a top priority, attitudes and practices around cybersecurity need to mature to address and reduce risk.
Portco Risk Management Oversight Guidance
The SEC amended its rules regarding corporate governance and oversight of risk management in 2009 as a response to the financial crisis. They stated risk oversight is a key competence of the board, specifically calling out cybersecurity risk management oversight as critical part of the board’s responsibilities.
In their summary, the SEC said cybersecurity risk had a potential material impact to a business due to business disruption, response costs, lasting reputational harm, the cost of litigation and potential liability, and therefore required oversight.
With that background, it is imperative that PE firms leverage their board position to ensure cybersecurity risk is formally part of the agenda and set the expectation that management will be presenting on the topic. Three important questions that management should provide answers to include:
- What are our risks and what threat actors might manifest those risks?
- What investments have we made or need to make to ensure we have controls in place to adequately mitigate our exposure to those risks?
- Are we doing enough today when compared to our peers and our internal risk tolerance?
The panelists in our session recommended a balanced approach designed to be efficient, minimize impact on portco management, and provide enough fidelity into the unique cybersecurity risks across the portfolio to drive change when needed.
Key considerations discussed by the panelists included:
- The need to find partners at the firm to champion the cause and help establish a strategic approach to portfolio company risk management (i.e., ESG or risk committees).
- Partnering with the technology operating partners to communicate the program to the portfolio companies.
- LPs are more focused on portfolio company risk management more than ever and having a strategic approach provides your firm with a strong story to tell.
- Ransomware risks have changed the risk profile of most investments, necessitating good cybersecurity hygiene across the portfolio companies.
- There is not a one size fits all security program. Any strategic approach needs to account for the different needs of portcos based on their inherent risks (i.e., industry, information assets, risk tolerance, investment value, etc).
What’s needed is a level of oversight that makes life easier for PE leaders and easier for portcos in their portfolio as well. The ACA Aponix® PortCo Defend™ program was built with that in mind.
Staying on Top of Investment Risks: PortCo Defend
As is evident from our cyber week Portfolio Company Risk Management session, PE leaders are looking for a way to stay ahead of evolving cybersecurity risk. Their stress levels are high, and the need for an overarching solution is great.
ACA Aponix devised PortCo Defend, an efficient portco risk management oversight program, to give sponsors visibility into their portcos’ cybersecurity maturity, identifies key gaps that expose their investments to possible attacks, and provides ongoing tracking of progress to remediate these gaps in a cost-effective way that minimizes disruption.
Watch the Portfolio Company Risk Management Session
You can access and watch all the sessions from ACA's Cyber Week On Demand.
How ACA Can Help
ACA Aponix offers the following solutions that can help protect your firm from portfolio vulnerabilities and related cybersecurity risk, including:
- ACA Aponix PortCo Defend
- Payment Fraud and Risk Assessments
- Cybersecurity and technology risk assessments
- Vendor diligence and management
If you have any questions, please contact your ACA Aponix consultant or email us at email@example.com.
About the Author
Chad Neale is a partner at ACA Aponix, and oversees ACA Aponix’s Strategic Technology Advisory and Risk practice.
Chad has more than 20 years of experience in information security/privacy risk management, IT/security engineering and administration, and compliance readiness. Given his background in navigating complex regulatory environments in the financial services, healthcare, and energy industries, Chad brings a broad and unique perspective to the topic of security/privacy and a passion for helping organizations mitigate their exposure to security risks.