2. Avoiding direct attacks on the PE firm
PE firms are a prime target for increasingly sophisticated and bold cyber attacks because they have large quantities of capital at their disposal and regular involvement with third parties. Malicious adversaries have ample opportunities for attacks, such as targeted phishing, spoofing and digital impersonation, where large amounts of money could be siphoned during the course of a complex deal.
Alas, security fundamentals adapted to the business complexity and deal intensity are often seen as a blocker rather than an enabler in a deal context.
The volume and frequency of transactions themselves also provide an opportunity for attackers to steal money in a way that might go overlooked (i.e., fraud within the funds-flow process) or undetected for some time. In fact, PE firms might be doubly vulnerable, because when they do focus on managing cybersecurity and other operational issues, this focus tends to be within their portfolio companies, rather than within their own four walls.
3. Managing complications arising from COVID-19
Day-to-day operations for PE firms and their portfolio companies across every sector have been roiled by remote working practices – many of which may be here to stay. As in other sectors, remote work transforms cyber risk profiles.
IT assets such as laptops and smartphones are being used more frequently outside the office, where they can be lost or more easily accessed by malicious adversaries. A key risk arises from employees managing confidential intellectual property in environments such as their home or local café, where internet security is less stringent.
Security awareness is now becoming an important factor in security strategies as corporate employees are proving to be the easier target to breach rather than infrastructures. As such, risks to consider include:
- Phishing scams. In the age of COVID-19, these can often be in the form of fake public health emails containing malicious links.
- Attacks on high-level executives, who may have access to valuable assets and data, often with administrative IT clearance.
- Exploitation of home working environments, including unsecured networks, devices and applications in the hands of untrained individuals or employees’ children.
GPs should think seriously about how changes to operations and working locations prompted by the pandemic have affected the cybersecurity of each of their portfolio companies.
Assessing PE’s cybersecurity risk
To assess the risk, consider using a cybersecurity assessment framework that brings together a traditional risk-based cybersecurity assessment, a deal-focused cyber transaction assessment, and a cybersecurity due diligence review. This type of framework can help you understand and address these concerns throughout the M&A deal life cycle. Consider three lenses: investment thesis, business operations, and cyber risk and vulnerabilities – the outputs of which would be assessed against each security domain to identify the intrinsic risk for each portfolio company.