Private equity and cyber risk
Is your due diligence falling short?
According to research carried out in late 2024, 72% private equity firms in the US and EMEA have experienced a serious cyber incident across their portfolios in the past three years. The average cost of a single significant cyber incident has also been measured at a staggering USD 4.4 million. This financial cost, combined with significant reputational damage, can be catastrophic for a company's short and long-term profitability.
To protect their investments, many firms are taking steps to enhance the cyber risk profiles of their portfolio companies. 95% of these firms require that their portfolio companies to have at least basic technical security measures such as data loss prevention, privileged access management, and multi-factor authentication deployed. Furthermore, 40% of respondents were conducting regulatory compliance assessments and 46% were assessing third-party and supply-chain cybersecurity for their target companies.
While current behaviour and action to manage this risk is positive, they still run the risk of falling short. For example, just 54% of firms confirmed that all businesses in their portfolios have a defined and tested cyber incident response plan. This is concerning, as an effective incident response plan is crucial to ensure swift and effective action in the case of a cyber incident. The operational, legal and reputational impacts felt from a cyber attack can be exacerbated due to ineffective incident response.
Additionally, only 53% require regular employee cybersecurity training across the board. The need for cybersecurity training for employees has always been important, and is now increasingly so, as many high-profile cases of cyberattacks involve some element of social engineering. Take, for example, the recent cyberattack on Marks and Spencer (M&S), where a significant element of the attack was delivered via simple social engineering tactics against consultants of an outsourced third-party service provider. The IT helpdesk then didn’t follow pre-defined security processes and provided the threat actor access to the M&S infrastructure via the contractor’s privileged user account.
This also shows that the cybersecurity of a business is only ever as strong as that of its supply chain and technology ecosystem. Cyber threat actors are seeing this as an easy and lucrative option to deploy their attacks.
So how can private equity firms respond?
Pre-acquisition
- Perform your due diligence and take a comprehensive and proportionate view of what cyber risks exist in potential investments using robust cyber security frameworks to measure against.
- Identify what additional funds might be required to raise resilience and mitigate potential security weaknesses in future investments.
- Understand if the investment’s cyber security could act as a strategic enabler of growth in the future.
During the investment lifecycle:
- Assess and measure ongoing and emerging cyber risk at your portfolio investments so you can better protect your investment and support and guide it to success.
- Identify externally visible vulnerabilities via live testing and active threat intelligence before cyber criminals exploit them.
- Collaborate with joint scenario exercises to help raise standards around incident response effectiveness.
- Raise customer sentiment and prepare investments for future sales by gaining new globally recognised cyber security certifications.
Raising cyber security isn’t an overnight fix but it can be approached in a proportionate and ongoing manner that helps to mitigate a serious risk and enable proper growth.
Crowe’s Cyber Security team is experienced in supporting private equity firms to identify and reduce cyber risk across both pre-acquisition and ongoing portfolio management. Please contact you usual contact partner.
Contact us
