Cybersecurity: The New PE Firm Team Sport
Troutman Pepper shares how private equity firms can take a collaborative approach to cybersecurity within their portfolios
Historically, many private equity firms have let their portfolio companies independently manage cybersecurity. Given the increase in data and cyber risks, sophistication of threat actors, and impact and cost of breaches, leading PE firms are taking a new collaborative approach.
While portfolio companies are still able to operate independently, PE firms and their deal teams are increasingly using periodic “rapid maturity assessments” to efficiently identify needs, remediate against company and portfolio risk, and drive consistent reporting and solutions across the portfolio.
This section of the report is sponsored by Troutman Pepper and originally appeared in the Spring 2024 issue of Middle Market DealMaker.
If the idea of evaluating, monitoring and enhancing portfolio company cybersecurity programs at a portfolio level seems infeasible, think again. Here are four steps you can take to implement a collaborative approach for your portfolio:
1. Determine a common framework to assess maturity and risk across the portfolio. While portfolio companies may use a variety of major information security frameworks (e.g., most commonly ISO, NIST and CIS-18), determine a preferred framework around which to organize the portfolio’s assessment and reporting. Crosswalks can readily tie together key controls and enable cohesive reporting and clear objectives regardless of a portfolio company’s chosen framework.
2. Identify current-state maturity, individual portfolio company risks, and common vulnerabilities and needs across the portfolio. The assessment consists of three types of fieldwork: surveys, interviews and document review (e.g., program documentation, assessment reports and in-flight initiatives). Assessments are repeated periodically/annually. Innovative organizations use the assessment results to maintain an enterprise risk register, develop a road map to prioritize and track remediation activities, and benchmark key program maturity controls at the company and portfolio levels.
3. Develop a cross-portfolio maturation plan. By conducting assessments across the portfolio, PE firms can identify and prioritize key areas for improvement. For example, the PE firm may wish to use a consistent incident response plan across the portfolio companies or identify common breach service providers (e.g., forensics, legal, threat negotiation) that are readily available and understand the entire portfolio. This approach enables the portfolio to leverage economies of scale and purchasing power to secure preferential pricing for scalable security solutions for the portfolio companies (e.g., IAM, threat intelligence or endpoint detection and response).
Related content: The M&A Partners Working Behind the Scenes
4. Track improvements over time. Benchmarking facilitates efficient and systematic evaluation of controls and improvements for the entire portfolio and individual portfolio companies over time, enabling better informed investments and strategic decision-making for the organization (and to better prepare a company for sale). Subsequent assessments are even less disruptive, focusing on change during the interim period.
While information security was once viewed as table stakes and a cost of doing business, cyber preparedness and exposure to ransomware and data leaks are impacting PE deal diligence and valuations. It is also far less expensive to have security “baked in” from the beginning than to spend post breach. With some key tools and minimal investment, PE firms are increasingly assessing, measuring and addressing both unique and common vulnerabilities across their portfolios. In this new information economy and cyber risk environment, if you can’t measure it, you can’t manage it!
In their roles at Troutman Pepper, James Koenig co-chairs the firm’s Privacy + Cyber Practice Group, representing global clients in multiple industries; Brent T. Hoard works with clients to protect and maximize the value of their data; and Jean L. Pawluk helps clients implement and enhance information security programs.
Middle Market Growth is produced by the Association for Corporate Growth. To learn more about the organization and how to become a member, visit www.acg.org.
