Myths About Cybersecurity Portfolio Oversight: Myth #2

With cyber threats and techniques continually evolving, the likelihood an organization small or large will experience a breach has increased significantly. In particular, the rise of ransomware-as-a-service means that huge numbers of unskilled attackers can monetize attacks on smaller organizations.

Indeed, smaller organizations have become the primary target for attacks due to having a reputation of poor cyber hygiene and attracting less media and law enforcement attention for hackers. A recent study found that 82% of ransomware attacks target organizations with fewer than 1,000 employees.

It has become imperative that private equity (PE) firms institute a “next level” of portfolio oversight: oversight that is formal, programmatic, and grows valuations. These more far-reaching cybersecurity portfolio oversight programs will meet increased investor expectations on cyber as well as safeguard and grow the valuation of investments.

In our experience, we regularly run into the same myths or misconceptions about the role of, and barriers to, building out a programmatic portfolio oversight capability.

In this series, we debunk some of the most common myths, providing your firm with the first step towards generating the necessary buy-in and funding for oversight.

Myth #2: Our firm already has a pretty good idea which PortCos need careful examination and/or assistance with cyber.

When it comes to addressing the cyber posture of PortCos, many firms have started with a piecemeal approach, targeting those organizations deemed to need the most attention. By only focusing on some organizations at the expense of others, firms run the risk of overspending on some PortCos while overlooking risks at others that need focus. Additionally, they miss out on the efficiencies and economies of scale of a systematic, portfolio-wide approach.

In addition to assessing risk across the portfolio, it is also important to assess risk regularly over time. Cyber threats and business environments are not static. Hackers are continually evolving their techniques and tactics. At the same time, business environments are constantly changing, through new acquisitions, business lines, technologies, locations, etc. Without real-time data and continuous monitoring of the entire portfolio, OPs cannot have a clear understanding of where cyber risks lie across the portfolio. An effective cyber portfolio oversight program employs such monitoring for most or all of the portfolio on a consistent and programmatic basis, allowing OPs to accurately and confidently prioritize which companies need assistance and resources.

In addition to overseeing cyber protections across the dimensions of portfolio breadth and time, a third dimension of oversight that is often overlooked is ensuring cyber protections are comprehensive. We often see firms limit their approach to a handful of key controls such as multifactor authentication, and/or requiring cyber insurance across the portfolio. Cybersecurity is not like most domains of risk management—you can’t say that “every little bit helps.” With cyber, firms are facing an active adversary—locking the front door doesn’t help if the window on the side of the house is open and someone is trying to break in. A programmatic oversight program must take a comprehensive view of cybersecurity.

This myth is just one of several outlined in our latest white paper “4 Myths About Cybersecurity Portfolio Oversight.” Download here to learn more about the common myths that stand in the way of firms adopting programmatic oversight. We also offer a framework for organizations to begin evolving their approach, enabling them to avoid value destruction, better compete for capital, and increase valuations.

“Before working with ACA, we … didn’t necessarily have a clean cross-portfolio view to say what is the cyber risk profile of each of our organizations, where do they sit today compared to whatever their target maturity should be, and are there opportunities to augment our road maps to better protect ourselves.”” — ACA Aponix Private Equity Client

---

You can read other myths in our series here:

• Myth #1: Intervention in portfolio companies (“PortCos”) cyber programs is too burdensome on the PortCo.
• Myth #3: Investors don’t care and/or are satisfied with our current approach to cybersecurity.
• Myth #4: Cyber oversight is (only) about downside risk management.

Our guidance

For several years PE firms have been dipping a toe in the water of cybersecurity portfolio oversight. In addition to the basic practice of pre-acquisition cyber due diligence, initial efforts taken by PE firms include bringing in outside consultants and vendors to PortCos with known cyber challenges and instituting minimum expectations for cybersecurity controls across the portfolio. Indeed, in 2022, 60% of firms polled by ACA reported to be actively engaging in some level of cyber oversight.

However, as recently reported in the Wall Street Journal, this initial level of oversight is no longer sufficient to protect investments from cyber threats or reassure investors. Instead, it has become imperative that PE firms institute a programmatic approach to portfolio oversight: oversight that is formally governed, applied consistently, and grows valuations. Programmatic cybersecurity portfolio oversight will meet increased investor expectations for cyber as well as safeguard and grow the valuation of investments.

Despite this pressure on PE firms, evolving cyber portfolio oversight to a programmatic approach is challenging. Most firms lack the cyber expertise, funding, buy-in, and/or understanding of what an oversight program should look like.

How we help

ACA has helped more than 100 PE, venture capital (VC), and hedge funds (HFs) improve cybersecurity oversight of their investments. Our new portfolio oversight solution, ACA Vantage for Cyber, can provide ongoing visibility to monitor and oversee your portfolio companies’ cyber health, giving you control to navigate risk, add value, and gain a competitive advantage. Powered by ACA Aponix^®, ACA Vantage for Cyber combines our renowned advisory service with our award-winning regulatory technology, ComplianceAlpha^®, and our exclusive "RealRisk" risk assessment methodology. 

ACA Vantage for Cyber will help you to:

• Align your cybersecurity oversight program to investor needs by leveraging best practices developed working with over 100 private market (PM) firms on oversight 
• Save time with instant access to assessment results and the status of related remediation efforts 
• Keep stakeholders informed and direct resources where they are needed most 
• Uncover your firm’s risk from your investments from the fund level all the way down to individual cyber capabilities at individual portfolio companies. 

Contact us to find out how we can help you protect your portfolio. 

Contact us