A cybersecurity breach can be expensive and cause long-term reputational and brand damage to your private equity group. It can also derail M&A deals that are critical to your fund’s survival. Start your risk management program here.
But less visible cybersecurity concerns can have equally dire consequences. Take, for example, a buy and sell transaction: Would you want to buy a company with potential liability for a large, undisclosed cyber breach? Would you sell a company only to realize that personal data unrelated to the sold entity was inadvertently transferred to the acquiring organization? Or what if a ransomware attack were to occur during a transaction and ruin the deal?
You can mitigate these scenarios through proactive, efficient management of cybersecurity risks that addresses seven key areas.
Governance and risk management
Cybersecurity oversight should start with management using the “tone-at-the-top” approach. You should provide funding for a high-level cyber framework, and portfolio company managers should follow the methodology to ensure the right controls are implemented across their organizations. Risk management should begin with a structured cyber risk assessment followed by appropriate investment in people, process, and technology. Your risk management plan should allocate resources to high-risk items instead of to technologies promoted by vendors. For example, it might be more effective to manage phishing risks with staff awareness training rather than deploying email filtering software.
Risk management should begin with a structured cyber risk assessment followed by appropriate investment in people, process, and technology.
User access privileges
It’s often said users are the weakest link, and statistics show half of cyber incidents are caused from users. Many times, their actions aren’t intentional or fraudulent, but could have been prevented by stricter user controls. Take, for example, the situation of a controller who innocently wires $500,000 to an offshore entity based on a fraudulent email. If he or she hadn’t had permissions to single-handedly approve a payable of this magnitude, disaster might have been avoided. Similarly, prior to and after an M&A transaction, user access must be reviewed to ensure users from the prior entity no longer have access. Even if a transaction isn’t in the works, it’s prudent to review access privileges periodically (we recommend at least annually) to ensure access is current and relevant to the roles performed. Timely removal of access to departed employees will is also vital. Remember, just as you monitor physical access with cameras and security guards, you should monitor all user access and activity on your network.
Data loss prevention
Data loss prevention is designed to minimize unauthorized data transmission or “leakage” of personal information or your organization’s intellectual property. Sensitive data can be protected by following these important prevention activities:
- Perimeter protection: Similar to security of your physical assets, the network needs a strong outer perimeter to manage inbound and outbound traffic. Technology such as firewalls, intrusion detection and prevention systems, and email content filtering are a must.
- Network scans: Regular network vulnerability scans are necessary to identify weaknesses such as missing critical security patches, malware, etc.
- Patch management: A patch management and anti-virus program should be implemented across all hardware and software, including technology hosted by vendors. Systems running on outdated or unpatched software are a favorite target of hackers.
- Unauthorized devices and personal use: Reduce the vectors for data loss by limiting the use of USB devices and print functionality on network-connected devices. Similarly, limiting access to personal email and online file sharing portals will prevent staff from moving data/files out of the corporate network.
- Encryption: Encryption of data at rest and in motion will restrict unauthorized access in the event of a breach.
As mobile access to company data becomes commonplace, staff-owned devices such as phones and tablets need controls similar to those on corporate-managed laptops. Do you have the functionality to protect and erase company data on a stolen device? Can you prevent staff from using a mobile device to leak data by saving files from a restricted folder to an open folder on the phone, take screenshots, or paste data from a restricted file to the mobile device? Mobile device management software can provide you greater assurance in this area.
In the event of a breach, will your organization panic and depend on heroic actions of individuals? Or do you have a designated response team and a well thought-out and tested action plan? Does your plan incorporate procedures required by your insurance carrier and relevant laws? This is an area most organizations overlook. We’ve seen numerous documented procedures that fail within the first 15 minutes of a breach. Don’t let this happen to you. Test your plan and identifying the shortfalls before the unthinkable happens.
Recent cyber breach incidents are showing that increasing numbers of private data breaches occur at a vendor. Have you assessed the cyber security capabilities of your vendors? Ensure that vendors are protecting your data to your standards and appropriate notification standards are in place and will be followed if a breach occurs. Also remember to check whether your insurance policy covers costs related to a breach by the vendor.
Training and awareness
Last but not least — ongoing training is essential to remind staff of the latest cyber risks and the responsibilities that go along with their role. We recommend mandatory annual security awareness training that includes password tips, phishing awareness, preventing actions that put the organization at risk (such as connecting unauthorized devices to the network), data-loss prevention tips, and whom to call to report suspicious activity.
Ongoing training is essential to remind staff of the latest cyber risks and the responsibilities that go along with their role.
You've worked hard to increase the value of your investments and grow your portfolio. Don't let a cyber incident destroy your reputation and put your data assets at risk. Continue reading to learn how you can use a cyber resilience strategy to protect your own organization and your portfolio companies from cybersecurity threats.