It’s time to talk about cyber threats in PE-backed businesses

As private equity investors focus on navigating a tough economic climate, are they neglecting the risk of cyber-attacks to portfolio businesses? With the potential to wipe out returns, or even make a business unviable, how can investors and management teams work together to mitigate the threat?

Cyber-attacks and data breaches are among the biggest risks currently facing any business, and evidence suggests that private equity and PE-backed businesses are being intentionally targeted. Over the past two years, I personally know four PE-backed businesses that have been hit by ransomware attacks, while eight PE firms were posted to various ransomware blogs in 2023. A report by Accenture backs this up, finding that 68% of its PE clients see an uptick in cyber incidents during the month of a deal closure.

“Statistics and trends would suggest that we can look forward to increasing volumes of cyber-attacks over the coming years, with increased sophistication and escalating consequence,” comments Wayne Churchill, CEO of Normcyber. “Whilst statistics on cyber breaches within PE-sponsored companies only are hard to come by, the UK Government’s 2023 Cyber Breaches survey claims that in the previous 12 months, 37% of large businesses had become a victim of some form of cybercrime and more specifically that circa 1.5% of these businesses had been victims of ransomware attacks, one of the most disruptive and costly forms of attack. These are sobering statistics for PE investors and management teams alike.”

For cyber-criminals, PE-backed firms are the ideal target; deals invariably make the headlines, the companies involved have deep pockets, plus buy and build activity could open ‘back doors’ in IT systems, making them more vulnerable to attack. The results can be devastating for the firms in question, severely impacting their ability to operate, and drive value creation, and with significant costs to rectify damage and losses, not to mention the reputational impact on top. In some cases, attacks have even put the survival of the business in question.

Heads in the sand

Yet despite the magnitude of the cyber threat, there appears to be a lack of preparedness among both portfolio companies and private equity investors to protect against and respond to attacks. The Accenture study found that 1 in 2 of its PE-backed clients lack cyber insurance, which is invaluable to help cover the cost of a breach as well as provide first response support following an incident. In the cases I know of, the attacks were met with disbelief, panic, delays, and a lack of consensus about how to respond. Meanwhile, for every minute of delay, the attackers wreak more havoc in a company’s systems.

“I see PE-sponsored companies regularly that possess nothing more than a wafer-thin veneer of cyber defence, arguing that investing in cyber security does not build enterprise value and that their cyber insurance policy is adequate protection,” says Churchill. “It is still uncommon to find private equity firms that dismiss such naivety and impose cyber defence standards on portfolio companies”.

Standing shoulder-to-shoulder

The big question is where does the balance of responsibility lie between private equity funds and portfolio companies in terms of cyber security, insurance, and breach response? Given the risk appears to increase following funding and M&A, surely there is a role for investors in contributing some of their management fee towards both minimising the threat through the right systems, expertise, and insurance, as well as dealing with the consequences if a breach does occur.

“PEs play a major role as part of the investment in their portfolio companies' level of cyber resilience, starting with the due diligence,” says Guy Gollan, the CEO of Performanta, which itself is PE-backed. “The more they incorporate stringent assessment of the ‘target company’ the better the starting point is. We saw that happening with a major transaction worth almost £200m where the acquirer refused to have the deal ready without meeting the minimum cyber requirements. Those were reasonable to ensure resilience. This action is far more popular and established in the US and Australia vs Europe.”

Investors and portfolio companies must ensure that cyber security is a leadership priority and that businesses know exactly how to respond. Should CTOs and CIOs be valued more highly for their role in putting a cyber strategy in place, while ensuring systems are being stress tested? Or is this something that PE funds should oversee centrally, by providing internal or external support? KKR is leading the way here, having added a global head of cyber for its portfolio companies.

“PEs need to establish a risk committee at the board level, as part of their prerequisites,” continues Gollan. “This will ensure the invested company keeps the level of security high and avoids any dipping-head-in-the-sand syndrome. A risk committee will mark the right accountabilities and will seek budget for cyber. 

“Budget is a point of friction, and one cannot avoid it,” he continues. “It needs to be 8% to 15% of the IT budget. PE firms need to remember that in the case of a breach the expenditure be 15 to 30 times higher than the entire cyber annual budget. Clearly something no one can afford. Lastly, cyber plays a role as part of compliance. Be it ISO certification or CREST, they'll have to demonstrate capabilities and action towards a more resilient, less risky operation.”

Is there a difference in how US and European PE firms are approaching the challenge? I’ve heard anecdotally that US funds are more supportive; being quick to pay ransoms, so that companies can get back to business as soon as possible, without customers or, in some cases, the broader business even being aware of the cyber-attack! Although this approach raises ethical and legal questions, and avoiding attacks in the first place would no doubt be preferable.

“The primary response must be investment in effective cyber defence management and incident response, and the secondary should be stronger cyber insurance,” comments Churchill. “Both will require additional operational costs to be borne in most businesses, costs which are likely to be detrimental to EBITDA. However, the lack of such protections should go to the heart of any risk-weighted enterprise value, opening up the debate around the extent to which enterprise value should be adjusted coming into a deal. Looking at an existing portfolio, PE investors should push for full cyber defences to be built, adjusting their expectations, and permitting these costs to be incurred to avoid price adjustment on exit, or worse, value destruction arising from a cyber-attack.”

Starting a discussion

PE funds and portfolio businesses understandably don’t want to admit to a cyber incident. Still, the upshot of keeping quiet is that the risk is more likely to be overlooked amongst the wider private equity community. At a time when growth is already impacted by economic challenges, a cyber-attack has the potential to severely exacerbate the impact on exit returns, and is arguably the bigger threat, given the immediate physical, financial, and reputational damage it can wreak. It is time to start a discussion and take action.