By Darren Craig, Founder at RiskXchange,
New investment decisions or reviewing current portfolios should now include some form of risk assessment
The increasingly sophisticated cyber security threat presents real risks for all organisations. The results of a security breach can have huge consequences for a business’s reputation and bottom line. The press, public and politicians are now more aware than ever of the importance and value of data that companies hold and therefore the levels of scrutiny is at an all-time high.
With this in mind, the evaluation and management of these risks need to form a crucial part of the due diligence process in investment decisions. For Private Equity firms, any breach not only has reputational and financial consequences but can also trigger questions and concerns from limited partners about the ability of the firm to manage security across the rest of its portfolio.
Securing a full overview of security
There has never been a more important time for any investment decision to be prefaced by a security assessment. Whilst some in the industry recognise the importance of risk assessments, there tends to be an over-reliance on high level reviews, based on the ‘honesty’ of the company’s own IT team and the filling out of questionnaires.
This is no longer a credible way of gaining the insight needed to allow Private Equity firms to make an informed decision on investment targets. The rate at which cyber criminals are escalating their attacks and the levels of sophistication involved, now means that much of the information provided may be outdated, before it even reached the desk of decision makers.
Indeed, these high-level overviews tend to confirm the adherence to various regulations. Whether it be ISO27001 or GDPR, the complexity surrounding the security regulatory landscape now means that further insight is needed. It maybe the ISO only relates to one particular part of the business, or that there was a rushed, tick box exercise in order to secure compliance to GDPR. Neither mean that the company is secure and only gives part of the story.
Near real-time security assessment is key
In order to gain a full, and accurate, insight into a company’s security practice, Private Equity firms are starting to use solutions that gives a near real-time, non-intrusive view of the investment target’s security. It checks poor security hygiene, the regulatory of patch updates and the effectiveness of security policies and strategies already in place. Giving the company a security score enables Private Equity firms to easily see where the target company sits, where it needs to improve and areas of real vulnerability.
Giving this level of insight allows for informed decisions to be made and takes away much of the mystery that often surrounds a company’s security.
Constant review of portfolio
It is not just at the point of investment that Private Equity firms need to be on-top of the security vulnerabilities. Indeed, arguably as the relationship continues to build, the need to ensure that security remains a core part of the strategy becomes even more important.
For investment firms with large portfolios this can seem like a daunting, if not impossible task. However, an automated approach which identifies possible vulnerabilities allows investment firms to take action and ensure that their portfolio of companies is taking the threat seriously.
By encouraging the portfolio to keep a good score throughout the relationship ensures that the investment is as safe as it can be from a cyber-security perspective. Those who constantly score badly are easily recognised and dealt with.
All of this means of course, that Private Equity firms are not just protecting their investments and reputations but can in fact, add value over time, as companies become more secure.
Changing best practice
Private Equity firms remain, on the whole though, reluctant to look deeply into a company’s infrastructure and security as part of a due diligence process. This has to change. The old methods of manual checks and verbal assurances no longer reflect the modern environment where the sophistication of cybercriminal attacks are constantly evolving. Much of this reluctance may come from a lack of understanding, not of the relevance, but of the processes involved.
Investment firms are well versed in the due diligence process that assess the financial, logistical and personal aspects of an investment decision. However, even if all of these aspects are in place, they can be undone in one high profile breach. With data stolen, regulators, politicians and the public quickly lose faith and the sound investment suddenly becomes a poor one, as does the reputation of the investment firm.
Adding a layer of cyber security assessment should now be considered a crucial element of any due diligence process. Using automated solutions that can in near real-time give an updated overview of the security status and vulnerabilities of a potential investment. An easy to understand scoring system can provide Private Equity firms with the knowledge they need to make an informed decision on investment and an ongoing overview of status throughout the period of the relationship, securing the initial investment made, and in many cases adding value to it.