This article is sponsored by Clearwater
How do you currently see PE managers approaching cyber-risk management, and how might they approach it more holistically?
Historically, private equity firms primarily relied on the boards of their investment companies to monitor, question and evaluate cyber-risk within each portfolio company.
Now, we’ve started to have conversations with PE firms – in the US particularly – around the need to evaluate the cyber-risk at the portfolio level, how they should evaluate that and better ways of going about risk management. They are recognizing that folks on the boards may not necessarily have had the backgrounds to ask the right questions, or to understand the responses, and that was leading to inconsistent understanding and management of cyber risk across portfolios.
Even when different portfolio companies had the same level of expertise in the past, they weren’t necessarily looking at cyber-risk consistently across all their investments.
A lot of that is because there are multiple control frameworks and multiple different assessments being done by multiple parties, giving rise to inconsistencies in how we describe cyber-controls and programs between businesses.
Firms started to look for common evaluation tools across their investments, so they could take that and really start to understand risk at the portfolio level.
Now, they are looking to understand where the greatest risk lies within the portfolio, for example, and where they stand against the industry as a whole. There’s an opportunity to educate at the company level, board level and PE firm level so that everyone can learn the lexicon of cybersecurity and start to understand what best practice means.
What particular cyber-risks do PE firms face in the healthcare sector?
We generally think of risk as the likelihood of a threat acting on a vulnerability and the impact to the organization if that were to occur. For the healthcare industry, the threats out there continue to grow, from the disgruntled employee to the sophisticated international criminals behind ransomware attacks and state-sponsored actors looking to access medical information.
From a vulnerability perspective, the expanding footprint of and increasing reliance on technology typically means there is a growing number of vulnerabilities. Also, folks have discovered that because you are often relying on third parties, you take on the risks of those third parties as well.
In the US, the biggest breaches in healthcare in recent years have involved third-party vendors where the impact radiates out to hit many players, as we saw with the SolarWinds cybersecurity attack. That breach was identified in late 2020 and lawsuits were filed in 2021, one of which targeted the private equity owners of the business alleging negligence in addressing cybersecurity.
All of this means that unless there is a strong cybersecurity program in place, there is a growing likelihood of an event taking place, and when it does, it is expensive. Research from IBM and the Ponemon Institute shows the average cost of a breach in the healthcare industry went up $2 million to hit $9.23 million last year, with this being the most expensive industry in which to suffer a breach. The financial implications are significant, driven in large part by the volume of patient information being held. It is also true that the bigger the organization, the greater the risk in terms of the potential cost of an attack.
How might cyber-risk erode returns if not properly addressed?
Given how expensive it is to suffer a breach, a lot of companies used to offset that with cyber-liability insurance. In the last six months, it has become increasingly difficult to get that coverage; it comes at a premium, and with lots of limitations.
Furthermore, three or four years ago, due diligence for cybersecurity during a transaction wasn’t really something that was going to significantly impact a deal or stop it going ahead. That’s no longer the case. We have seen transactions being derailed because of a cybersecurity problem, whether that’s a breach or a perceived lack of sufficient security. Those issues are being taken much more seriously and are impacting price.
What are the biggest challenges that PE firms encounter when tackling cyber-risk management?
One problem is there are just insufficient qualified professionals in the cybersecurity industry, so finding expertise at the company or the PE firm level is extremely difficult. And if you do find the right people, they are more and more expensive to engage.
The next problem is that the PE managers need to learn the language of cybersecurity. While most are really familiar with the language of finance, this is something new that they need to grasp in order to make informed decisions. When you get down into the company level, it depends where in the life cycle of a company the investments are made. Those firms making early-stage investments are often just trying to get cybersecurity programs in place, whereas when you’re further along it’s about understanding what’s required as a business grows. The more successful you are, the greater the risk and the more comprehensive the program needs to be to mitigate that.
Also, the expectations for healthcare organizations from a compliance perspective increase quite significantly with maturity and scale. Understanding that and making sure that you are implementing appropriate programs is a challenge, and has a cost associated with it. A lot of the PE firms we are working with are investing in digital health or in physician practices that are doubling in size every year. The challenges associated with that growth and the legal structures involved can be significant.
What do PE firms need to prioritize as they build a security protocol roadmap around their portfolio?
At the portfolio level, the priority really is understanding where a company is relative to an appropriate target profile, which means establishing what is the reasonable and appropriate level of security that should be in place. Defining what’s reasonable and appropriate is a challenge in itself and will depend on how that business goes to market, compliance requirements, customer expectations, third-party exposures and so on.
Once you have come up with the target profile, you need to establish where you are currently relative to that and then map a course to get to where you need to be and track that on an ongoing basis. Getting baseline controls and then managing risk on an ongoing basis at an acceptable level for that organization is the key.
At the private equity firm level, we suggest managers start to develop a common understanding of cybersecurity to evaluate portfolio companies through a common lens. That allows firms to understand risk across the portfolio, where the most risk resides, and what needs to be done in order to bring the risk to an appropriate level.
These things can be done together or separately; we have seen firms just working at the portfolio level, just working at the firm level, or taking a mixed approach. The nature of the businesses will determine the level of expertise needed and whether that expertise is needed in-house, but every firm is going to need someone to define that target profile, come up with a roadmap and then people to assist with implementation.