Private equity and Cyber Security: Defence measures

Private equity firms face cyber security threats across their entire organisation as explained in our latest 'Guide to Cyber Security'. At fund manager level, financial data held on investors and portfolio companies is a high value target for hackers, as is intelligence on upcoming deals. At portfolio company level, risks abound in numerous different areas, with hackers targeting IP and consumer data or looking to cause business disruption.

There are several steps a private equity firm can take to mitigate these risks. Before detailing these, it is worth considering who might be behind the attacks.

Who’s behind cyber-attacks?
Cyber attackers broadly fit into three categories: criminal elements motivated by money; hacktivists motivated by a cause or a desire to raise their profile; and those conducting espionage on behalf of their sponsors. Having an awareness of your potential adversaries, understanding their motivations and gauging whether they are likely to attack can assist you in implementing the most appropriate methods of defence. 

Know your cyber exposure
Private equity firms need to take steps in a number of different areas. While technology is an obvious and important area to consider, organisations need to take a holistic view of their structure and operations to truly appreciate their cyber exposure and threat landscape. Cyber security is not only about technology. It also involves people, information, systems, processes, culture and physical surroundings. Only once all these areas are taken into account, is it possible to quantify and start to mitigate the risk of cyber attack.

Before this process begins, however, organisations need to establish whether or not they have already been compromised. According to the BIS 2014 Information Security Breaches Survey, 81% of large organisations and 60% of small organisations were compromised last year. There is little point in investing in strengthening your security posture if there is already a breach in the network with access to security plans.

We would typically conduct a ‘compromise discovery’, which involves monitoring the organisation’s network and machines for a short period of time to ensure that a cyber issue does not already exist; if there is an issue, immediate action is recommended to remedy this.

Defence measures
The final, but absolutely vital, element of cyber security is preparation for the inevitable.

As Robert Mueller, former Director of the FBI, said: “There are only two types of companies: those that have been hacked and those that will be.” All organisations should have a structured and pragmatic plan detailing what and how an organisation needs to respond to the cyber breach, and who needs to be involved. This should include aspects such as: who internally is responsible for leading the breach response; who to call if external technical response support is required; what to do if the response needs to be conducted under legal privilege – how to tell and what to do; how to handle the PR side of a breach; if you have lost customer data for example, what is the communication plan to stakeholders; and what are the Information Commissioner Office implications as a result of loss of consumer data in one of your portfolio investments.

These are all aspects that need to be considered by private equity firms and their portfolio companies. There are some simple steps an organisation can take to ensure they are ready to respond, including developing an incident response plan that articulates how to respond to a breach and make sure that clear internal ownership is assigned. Organisations should also consider setting up an incident response retainer with a third party organization, such as PwC, so that in the event of a crisis, help is at hand.


If you would like to discuss the topics covered above in more detail, then please do get in touch using the details below. You can also find more information in our 'Guide to Cyber Security'.