Myths About Cybersecurity Portfolio Oversight: Myth #1

With cyber threats and techniques continually evolving, the likelihood an organization small or large will experience a breach has increased significantly. In particular, the rise of ransomware-as-a-service means that huge numbers of unskilled attackers can monetize attacks on smaller organizations.

Indeed, smaller organizations have become the primary target for attacks due to having a reputation of poor cyber hygiene and attracting less media and law enforcement attention for hackers. A recent study found that 82% of ransomware attacks target organizations with fewer than 1,000 employees.

It has become imperative that private equity (PE) firms institute a “next level” of portfolio oversight: oversight that is formal, programmatic, and grows valuations. These more far-reaching cybersecurity portfolio oversight programs will meet increased investor expectations on cyber as well as safeguard and grow the valuation of investments.

In our experience, we regularly run into the same myths or misconceptions about the role of, and barriers to, building out a programmatic portfolio oversight capability. In this series, we debunk some of the most common myths, providing your firm with the first step towards generating the necessary buy-in and funding for oversight.

In this series, we debunk some of the most common myths, providing your firm with the first step towards generating the necessary buy-in and funding for oversight. You can read other myths in our series here:

• Myth #2: Intervention in portfolio companies (“PortCos”) cyber programs is too burdensome on the PortCo.
• Myth #3: Investors don’t care and/or are satisfied with our current approach to cybersecurity.
• Myth #4: Cyber oversight is (only) about downside risk management.

Myth #1: Intervention in portfolio companies (“PortCos”) cyber programs is too burdensome on the PortCo.

Historically, there has often been a limit to the level of involvement and oversight of Operating Partners (OPs) in portfolio companies’ (“PortCos’”) operations. This limited involvement largely stemmed from firms not wanting to overly burden PortCos with oversight, especially for functions that were traditionally not considered critical to return on investment (ROI). 

Until recently, cybersecurity was in this category of business functions that fell outside the purview and responsibilities of OPs. However, with cybersecurity now a top risk facing organizations (and consequently, investments), it has become critical that OPs take a more active, oversight role in the cybersecurity of their PortCos, even if it does create some measure of burden. 

However, in our experience, PortCos are generally receptive rather than resentful of enhanced OP oversight and involvement in cyber. Most PortCos care about cyber and know they need help. This is especially true for smaller PortCos that lack the resources and have nascent, less developed cyber programs. 

PortCo resistance to cyber oversight typically arises when oversight does not reflect the needs and/or operations of the PortCo. If OPs require companies to take cumbersome, unapplicable, or redundant actions that provide marginal benefits to their cyber program and organization, PortCos are unlikely to be receptive. For this reason, cyber oversight efforts should be rooted in a strong understanding of the current cybersecurity context of PortCos so activities and expectations can be scoped to the company and help it improve its cyber posture.

This myth is just one of several outlined in our latest white paper “4 Myths About Cybersecurity Portfolio Oversight.” Download here to learn more about the common myths that stand in the way of firms adopting programmatic oversight. We also offer a framework for organizations to begin evolving their approach, enabling them to avoid value destruction, better compete for capital, and increase valuations.

“We were very deliberate and focused on how we sold the value of the OP-led cyber support initiatives to our PortCos. Due to this coordinated effort, our CEO and CIOs were able to see the direct benefits to their cyber programs and were very receptive. What I’ve been most surprised and happy to see is PortCos taking oversight efforts and results a step further and asking, ‘what do I have to do to get to the next level of maturity.” — ACA Aponix Private Equity Client

---

 

You can read other myths in our series here:

• Myth #1: Intervention in portfolio companies (“PortCos”) cyber programs is too burdensome on the PortCo.
• Myth #3: Investors don’t care and/or are satisfied with our current approach to cybersecurity.
• Myth #4: Cyber oversight is (only) about downside risk management.

Our guidance

For several years PE firms have been dipping a toe in the water of cybersecurity portfolio oversight. In addition to the basic practice of pre-acquisition cyber due diligence, initial efforts taken by PE firms include bringing in outside consultants and vendors to PortCos with known cyber challenges and instituting minimum expectations for cybersecurity controls across the portfolio. Indeed, in 2022, 60% of firms polled by ACA reported to be actively engaging in some level of cyber oversight.

However, as recently reported in the Wall Street Journal, this initial level of oversight is no longer sufficient to protect investments from cyber threats or reassure investors. Instead, it has become imperative that PE firms institute a programmatic approach to portfolio oversight: oversight that is formally governed, applied consistently, and grows valuations. Programmatic cybersecurity portfolio oversight will meet increased investor expectations for cyber as well as safeguard and grow the valuation of investments.

Despite this pressure on PE firms, evolving cyber portfolio oversight to a programmatic approach is challenging. Most firms lack the cyber expertise, funding, buy-in, and/or understanding of what an oversight program should look like.

How we help

ACA has helped more than 100 PE, venture capital (VC), and hedge funds (HFs) improve cybersecurity oversight of their investments. Our new portfolio oversight solution, ACA Vantage for Cyber, can provide ongoing visibility to monitor and oversee your portfolio companies’ cyber health, giving you control to navigate risk, add value, and gain a competitive advantage. Powered by ACA Aponix^®, ACA Vantage for Cyber combines our renowned advisory service with our award-winning regulatory technology, ComplianceAlpha^®, and our exclusive "RealRisk" risk assessment methodology. 

ACA Vantage for Cyber will help you to:

• Align your cybersecurity oversight program to investor needs by leveraging best practices developed working with over 100 private market (PM) firms on oversight 
• Save time with instant access to assessment results and the status of related remediation efforts 
• Keep stakeholders informed and direct resources where they are needed most 
• Uncover your firm’s risk from your investments from the fund level all the way down to individual cyber capabilities at individual portfolio companies. 

Contact us to find out how we can help you protect your portfolio. 

Contact us