Private Equity firms pride themselves on implementing best practices in every functional area within their portfolio companies. Cyber Risk Management is emerging as a core business function as cybersecurity has evolved into an existential risk for organizations of all types. In addition, depending on the industry, companies are being mandated by regulators to meet increasingly rigorous compliance requirements around cybersecurity. PE firms now need real-time visibility into their portfolio companies’ cyber postures to understand where the risks reside, quantify these risks in monetary terms, and prioritize remediation activities to optimize the cyber posture of their companies and, thereby, minimize risk.
Certain firms have hired dedicated Chief Information Security Officers to lead their portfolio companies' cyber risk management functions. This has proven effective given the wide range of cyber sophistication within companies, especially in the middle market. Other firms have turned to third-party consultants for cyber assessments of their portfolio companies. Ultimately, this is a core competency that should reside within every organization.
Given the magnitude of the risk associated with cyber breaches, management teams are being held accountable for their cyber postures by their Boards of Directors. A best-in-class Cyber Risk Management program must address the following functions:
Cyber Risk Management
Assess: the first step in understanding a cyber posture is to assess it based on a particular framework established for an industry or a general framework such as NIST CSF that applies to all business types. The assessment is a point in time view; if it takes months to complete, it is obsolete. So ideally, the platform that you use to perform the assessment can automate many of the controls, centralize the collection of evidence, and provide a real-time view of an organization’s posture.
Measure: once an assessment has been performed, it would be helpful for CFOs and other decision-makers to understand the potential cost associated with the various weaknesses revealed in the cyber assessment. This quantification process can be conducted using the FAIR model or similar risk measurement models that leverage historical breach data. If you match this insight with a return-on-investment calculation associated with a certain cybersecurity solution, CFOs can finally make informed decisions about where to invest constrained budgets to remediate these weaknesses. Being provided a black-box cyber score is a relative measure with little utility; however, understanding the exposure in financial terms has tangible and actionable value.
Mitigate: once you understand your posture and have quantified your risks in financial terms, it is time to decide how best to remediate the risk. Cyber risk can be accepted, transferred, reduced, or avoided like any other risk. A recommendation engine based on best practices coupled with a modeling of the chosen solution on the overall cyber posture would provide tremendous value to a team faced with these decisions. As the solutions are implemented, these fixes should be automatically reflected in an updated cyber posture assessment.
As illustrated in the graphic above, these three steps (assess, measure, mitigate) should be repeated continuously to optimize an organization's cyber posture. By standardizing on one Cyber Risk Management platform, Private Equity firms can obtain a uniform view of the cyber posture of all of their portfolio companies, can monitor this posture on a real-time basis through executive dashboards, and can be in a position to establish the best practices within their portfolio companies to minimize the existential risk associated with cybersecurity.
Ideally, Private Equity firms would like to assess their targets' cyber posture before acquiring them during the due diligence process. Still, due to time constraints and competitive dynamics, most cannot do this with existing methods. What they need is a platform that can provide a rapid assessment of a target’s cyber posture to ensure there is not an existential risk that could come to light post-closing of the acquisition.