Cybersecurity is vital for PE firms due to exposure to cyber threats. Effective management and insurance strategies are crucial.
Cybersecurity has become a critical concern for Private Equity (PE) firms. With frequent deal announcements, a vast amount of sensitive data and readily available capital, they can be seen as attractive targets for cybercriminals. PE firms need to monitor both their own cybersecurity and that of their portfolio companies. The repercussions of a cyber incident can be severe, impacting both immediate financial stability and long-term investor confidence.
Why cybersecurity matters for PE firms
PE firms are exposed to cyber threats at both fund level and through portfolio companies
Unlike corporate M&A, where the entity is onboarded and IT systems are subsequently integrated, PE firms do not typically integrate systems with their portfolio companies. The cyber risk remains within individual portfolio companies, yet the PE firm remains exposed to legal liabilities, costs and repu
PE firms are exposed to cyber risks throughout the entire investment lifecycle
Public announcements of PE deals can increase the likelihood of cyber incidents. Portfolio companies can be perceived as lucrative targets due to their new access to capital and any with less mature IT infrastructure in place are more vulnerable to attacks. The costs of these losses can be significant – WTW's2024 Cyber Claims Analysis reported an average ransom demand of nearly USD 5m. This does not include further related costs, including IT forensic support and any associated business interruption.
Effective management of these risks, from initial due diligence to sale preparation, can significantly influence the investment's value
It is important to address cyber risks early in the due diligence process and, if possible, have appropriate cybersecurity measures implemented before the transaction date. During the hold period and prior to the sale, PE firms will need to adopt an appropriate cybersecurity strategy for the portfolio company to best position themselves for an exit. Each portfolio company could have a differing level of IT maturity, which may necessitate a tailored cybersecurity approach. However, best practices can be applied across the PE portfolio.
Impact of cyber Incidents on Investments
Cyber incidents can impact investments in various ways at all stages of the investment lifecycle, whether pre-acquisition, during the hold period or at the point of exit:
Pre-acquisition
After identifying a target, if the cybersecurity is not appropriately assessed during the due diligence, vulnerabilities may not be identified, and the deal value can be overestimated. WTW has seen cyber-attacks incurred by target companies even during a transaction process and in such instances being able to quantify the potential exposure is critical from a valuation perspective.
During the hold period
01
Financial implications
The costs of a cyber incident can be considerable; including legal fees, public relations, credit monitoring, call centres and IT forensic support. A cyber incident can have long-lasting consequences - there may be a business interruption impact resulting in a loss of revenue and increased operating costs. Our 2024 Cyber Claims Analysis report, details a significant loss from a malicious data breach handled by our claims team. The loss required engagement with various vendors and specialists and totalled USD 300m.
02
Regulatory exposures
With the evolving data protection and cyber security regulatory environment, there will be a requirement for Private Equity firms to ensure their portfolio companies comply with relevant regulations. Portfolio companies will need to adhere to the requirements of GDPR (or the local equivalent thereof) or the recently adopted EU NIS-2 directive for portfolio companies that fall within scope If there are regulatory breaches, companies may also be subject to penalties.
03
Reputational damage
It is common for companies to suffer reputational damage following a cyber incident. If there has been a breach of customer data, this can impact customer loyalty and trust. This reputational damage could go further than one portfolio company and could affect the private equity firm by impacting investor confidence at fund level and even future fundraising.
Exit
A robust and mature cyber posture within a company can mean it is perceived as more resilient and capable of long-term growth which can increase market value at the time of exit. Conversely, portfolio companies with inadequate cybersecurity measures are less attractive to potential buyers and often seen as higher risk, this may result in fewer interested bidders and a greater challenge in obtaining the maximum valuation.
Portfolio companies with inadequate cybersecurity measures are less attractive to potential buyers and often seen as higher risk.
If the public announcement of a deal encourages a cyber-attack at the portfolio company during a transaction process, this can delay deals or, in the worst-case scenario, cause them to collapse.
What role does insurance have to play?
Warranty and Indemnity (W&I) insurance and cyber insurance
A W&I insurance policy is typically purchased to protect buyers and / or sellers from financial losses arising from breaches of warranties and indemnities in the sale agreement. These sale agreements often include warranties related to cyber risks. Historically, W&I insurers were reluctant to cover cyber risks, often including a general cyber exclusion. However, insurers are now more willing to provide coverage, subject to appropriate due diligence and sufficient operational cyber insurance being in place at portfolio company level.
While W&I insurance can offer some protection against cyber risks, it is not a substitute for cyber insurance at the portfolio company itself. W&I insurers typically look to sit in excess of the target's specific cyber insurance policy, ensuring comprehensive coverage.
Cyber insurance solutions for PE firms
PE firms have two key options for cyber insurance:
Standalone insurance programs
Each portfolio company purchases its own insurance policy, tailored to its specific needs. These policies typically cover data breaches, ransomware attacks, incident response costs, and business interruption due to cyber incidents.
Portfolio solutions
Each portfolio company still purchases its own policy, but they benefit from a 'cyber portfolio solution' established by the PE firm. This approach leverages the PE firm's buying power in the insurance market, offering cost savings and broad coverage through strategic partnerships with selected insurers.
Summary and recommendations for PE firms
Conducting thorough DD at the point of acquisition to understand the cyber maturity of target companies will assist with negotiations and avoid deal delays
01
Perform robust cyber due diligence
Comprehensive assessments of target companies to understand their cyber maturity will assist with negotiations and avoid deal delays.
02
Implement effective cyber strategies
Addressing the unique cyber maturity and IT posture at each portfolio company is crucial to protect and maximise the investment value. However, viewing the portfolio holistically rather than as individual investments can deliver benefits such as:
Cybersecurity best practices can be applied across the portfolio
Terms and conditions for cyber insurance can be improved through portfolio solutions
03
Demonstrate continuous monitoring
PE firms remain exposed during the hold period, ensure you respond to any new IT vulnerabilities, cyber threats or regulations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.