By Alan Turovlin, TurovlinPartners
Target was hacked in 2013, the Democratic National Committee in 2016 and Equifax in September. What is going on?
Are more hacks making the news, or are cyberattackers more skilled and better funded these days? What of cybersecurity? It is IT’s responsibility, right? That’s what everyone says. So, did IT get funded? Does IT need more money? IT will address our cyber-risk and fix us, right? Yes and no. IT executes and resolves cyber-related issues against a plan based on corporate risk, a responsibility of the C-suite and board.
Right now, the focus at Equifax is what the IT guys did or did not do. As days pass, however, the focus is shifting to a more onerous issue: the lack of oversight and governance at the C and board levels, and there is talk of fiduciary responsibility, or the lack thereof, of the company’s officers. Even news of possible insider trading by the CFO matters less as oversight and governance become the focus. Oh, and the CEO “retired.”
What happened at Equifax — the severity of the cyber hack, its duration, and management’s apparent “hands-off” approach — is scary. When a cyberattack occurs, more than IT is involved. The entire company becomes embroiled.
So why is the predicament at Equifax important to you, the portfolio operating manager? Lessons learned from the Equifax hack may help you protect your portfolio companies’ earnings and valuations.
For starters, let’s acknowledge that most company cybersecurity efforts are inadequate and left to the IT staff. Further, the insufficiency does not necessarily lie with deficient technology, as in a lack of IT skills, tools or even budget. With Target, the DNC and now Equifax, the cyberissues are both technical and managerial.
While IT can execute and resolve cyber-related issues against a set of prescribed criteria, these criteria need to be established after careful consideration of corporate risk and put forth in a plan created by management, specifically the C-suite and board. Here are six steps you as the portfolio operating partner can take:
- Have the CISO (or at least the CIO) report directly and regularly to the board. Adjust your portfolio company’s reporting structure so the CISO (or CIO) reports not to the CFO or CEO but directly to the board. Make the CISO’s report a regular agenda item of the board. Elevate cybersecurity to a level on par with audit and corporate risk management and watch how corporate oversight and governance improves.
- Perform cyber-risk assessments and communicate the results. Ensure that your portfolio company conducts a cyber-risk assessment that considers both short-term and long-term risk. In reality, few companies conduct comprehensive assessments and only when there is a problem. (That’s too late!) Then, have your companies communicate the results of the cyber-risk assessment with senior executives and the board. Still fewer companies review their cyber-risk assessments with senior executives and the board. In early September, Equifax reported its CFO was unaware of the data breach although this CFO is now under investigation for insider trading. Knowledge of cyber risk or even an actual cyberattack is a core component of the fiduciary responsibility of company officers and the board. It is their responsibility to protect the company’s assets. This is the failing of Equifax.
- Do what the cyber-risk assessment recommends. Most companies that conduct cyber-risk assessments perform the easy tasks and forgo the ones that require significant expense or effort. Encourage your portfolio companies to follow the recommendations of their cyber-risk assessments. Besides, you know best how to protect your portfolio’s earnings and valuation and you know that being vigilant is an ongoing process. Help your portfolio companies understand, too. The risk of a cyberattack is omnipresent; constant attention is required by all in the organization, from IT to board.
- Incorporate a cyber-risk assessment in your due-diligence process for acquisitions. Assess all your investment candidates for cyber risk as a standard of your due-diligence effort. Then, monitor and evaluate the risk as the acquisition is integrated into your portfolio. When was the last time your firm looked at cyber risk as part of due diligence? Cyber risk could have a material impact on asset value and future revenue and should be treated as such.
- Educate your portfolio companies about cyber risk. First and foremost, ensure that your portfolio companies understand cyber risk and the possible threat to company earnings and valuation, should a breach occur. Again, awareness of cyber risk is a corporate responsibility, not IT’s. The cyberattack on Target’s retail-store credit-card information was compromised through a third-party vendor. The DNC was hacked by a phishing email directed at a key individual. Both hacks occurred outside IT — and IT most likely could not have stopped them. Every person in a company needs to be aware of cyber risk, his role in preventing a cyberattack, how to recognize an attack, and if compromised, what to do and to whom to communicate.
- Have a cybersecurity action plan and use it. “Everyone gets hacked. If you think you haven’t, you just don’t know about it.” (Old cybersecurity proverb.) As the portfolio operating partner, make certain every portfolio company has a cyber-risk action plan, one that addresses internal and external stakeholders — and is used. I doubt Equifax had such a plan; if it did, it did not use it. Your portfolio company will be hacked. So, be prepared — you and your boards.
As the portfolio operating partner, should you be involved in the details of the six steps described above? Yes. Should you hold IT and your C-suite and boards accountable for the protection of the company assets and, ultimately, its value? Yes. Should your C-suite and board regularly review the company’s security footprint to mitigate cyber risk? Yes. With “yes” to all three, you can now rest assured that your shareholders’ investment is protected.
Alan Turovlin, CPA, CGMA, CERT in cybersecurity, is managing director of TurovlinPartners and a seasoned IT executive with extensive credentials in finance and accounting and cyber-risk assessment plus 10 years of work experience with private equity firms and their portfolio companies. He can be contacted at [email protected], +1 919-521-0690 or www.linkedin.com/in/alturovlin/