Return to search

PE firms must scrutinize the cybersecurity posture of potential investments and their third-party vendors

By Aleksandr Yampolskiy, SecurityScorecard

Private equity firms often lack the insight and understanding that protect their assets from cyberattacks, thus putting their portfolio companies at risk. As a result, PE firms must address the cybersecurity posture of potential investments and of their third-party vendors.

Why focus on cybersecurity posture?

Increasing threats from skilled hackers exploiting legacy technologies, system flaws and insufficient cybersecurity make securing PE firms and their investments seem daunting.

Although PE firms review potential investment financial risks and rewards, they often lack insight and understanding into all parties’ cybersecurity posture and health.

But the complex array of threats against target companies and vendors means that failure to understand a potential target’s data security can lead to risky investments.

Too often, damage occurs from security breaches without a firm’s knowledge, leaving a lasting impact on PE firms, even if the breach came from a small third-party vendor.

According to the 2017 Coller Capital Survey: “Over half of limited partners expect their infrastructure to suffer a serious cyber-attack within five years. Around half of investors say they will require cyber risk assessments both for general partnership management companies and for fund portfolio companies within the next few years.”

Key Factors to Evaluate

PE firms should protect themselves by assessing a potential investment’s IT and cybersecurity health through due diligence.

  • Adherence to relevant standards. Determine that the privacy and data-security controls of targets and their third-party vendors align to applicable standards, audit requirements and other compliance mandates.’
  • Third-party cybersecurity posture. Scrutinize potential investments’ third-party vendor contracts and the vendors’ cybersecurity risk posture.
  • Extent of and location of critical data. To mitigate risk, thoroughly review an investment’s IT and cybersecurity health by identifying and reviewing critical data and data protection at the targets and their third-party vendors.
  • Presence of cybersecurity awareness training. Review cybersecurity training at potential targets and their vendors’ for adequacy and completion, since many breaches can be attributed to human mistakes. Educate portfolio companies on cyberthreat response, reducing potential for cyberincidents.
  • Prior breach history. Request information about past breaches, even non-public, to assess damage and mitigate potential future risks. Review and address risks from any breach to determine the impact on sensitive data and what hackers obtained. The aim is to gain assurance by understanding the scope of the damage and steps to remediate, thus mitigating risks such as lost value or diminished reputation.

Establishing a Pulse on Cybersecurity Risk

Target and Equifax provide two examples of security breaches causing significant market capital drops and drastic management changes. Thus, PE firms must have objective ways to measure security.

After initially vetting an investment, firms should establish KPIs indicating and allowing cybersecurity-health monitoring. These KPIs ultimately hold portfolio firm boards and CIOs accountable to maintain a good cybersecurity risk posture.

Preset KPIs also remove subjectivity when purchasing security products or services. Measuring the security increase or impact of an intrusion-detection system removes subjectivity, and KPIs can help ensure effective technology and service investments.

How security posture is relevant to transactions

Increased use of third-party vendors increases exposure during transactions. Regulations clearly state that PE firms cannot dispose of responsibility by using third-party vendors. Since PE firms more diligently manage cybersecurity risk than third-party vendors do, PE firms can strengthen their security posture during transactions by reviewing vendor security ratings.

To measure these risks, PE firms need to allow instantaneous identification of third-party vulnerabilities, exploits and threats.

PE firms thrive by seeing opportunities where others see calamity. By marshaling the right resources, PE firms can take action to protect their investments’ overall cybersecurity posture while ensuring that portfolio companies and vendors do the same.

Aleksandr Yampolskiy is co-founder and CEO of SecurityScorecard, a New York-based cybersecurity-ratings company. He works with investment firms, large corporations, and angel investors to assess the overall security, vulnerability, and threat landscape of a potential target. Aleksandr can be reached at and +1 800-682-1707.

Aleksandr Yampolskiy, co-founder and CEO, SecurityScorecard. Photo courtesy of the firm.