“An attack on a portfolio company could lead to a devaluation of the asset or a potential derailment of a deal”

The most serious cyber risks in 2023 are the same ones that have plagued the industry for years. It's the 'quality' of attacks that has changed, with the explosion of bot-aided phishing, and AI-enhanced communications. Paul Loefstedt, Principal Solutions Consultant at SS&C Intralinks, who is set to moderate the forthcoming Zero One Hundred Conferences webinar "How to Secure Data and Protect Investors" on Wednesday, October 11th, at 4:30 PM CEST, sheds light on this shift.


What new risks and cybersecurity challenges are currently impacting private equity (PE) funds?

Cyber risks can be more prominent for PE firms given the number of portfolio companies they own with varying degrees of policies, safeguards and corporate cultures. Companies infected with ransomware can completely shut down operations. An attack on a portfolio company could lead to a devaluation of the asset or a potential derailment of a deal.

Spyware can lurk on corporate servers, evading detection and consequently resulting in the loss of intellectual property, data breaches that compromise investors, and the theft of critical intelligence which compromises the competitive posture of the firm. None of these threats are new their magnitude is greater than ever, and the industry is far from uniformly addressing these threats with the urgency they deserve.

How can Private Equity firms proactively prevent and mitigate these threats?

The first step is appreciating the risks. Well-publicized data breaches tend to get our attention, but firms are too often lulled into a false sense of confidence regarding their vulnerability. Eventual cyber compromise should be viewed as likely if not inevitable. Both preventative and recovery plans are required. How firms respond to cyber compromise is every bit as important as how they prepare for prevention.

From a preparation POV, the fundamentals need to be continually reinforced, whether they are smart password policies, cautious and watchful user behaviors, or adoption/enforcement/review of good practices and the technology to enable them. Even large financial organizations that adopt security best practices - Single Sign-On, for example, and multi-factor authentication - often have numerous exceptions to policy to avoid operational 'disruption.' 

How can PE firms reinforce investor risk management?

PE firms often get pushback from individual investors on such basics as the need to log in to a portal to see a report. Navigating those waters from an IR perspective is tricky; PE firms could help investor-facing teams by arming them with better talk tracks, well-articulated policy requirements, and superior software solutions to win over influential investors. Investor risk management has been a central topic of discussion at many industry conferences. Speakers from the FBI, SEC, cyber defense firms, and corporate leaders have recounted the self-inflicted wounds resulting from not adhering to the most basic good practices.

Notwithstanding the low-tech essentials suggested above, the reality is that cyber risk mitigation is a specialty demanding the aid of experts. Network security, server scans, IT controlled updates that ensure all connected corporate devices are adequately governed are all table stakes in the battle against malicious actors. 

What should PE firms consider when building proper cyber risks protocols?

Disaster recovery and mitigation strategies play a crucial role in determining the speed and cost at which compromises are resolved, directly influencing the event's impact on reputation. Technology investments to identify and assess network and system exposure are only part of what needs to be a comprehensive plan, with operational, training, and device configuration considerations. PE firms need to hire and engage experts who specialize in this most dynamic and complex area.

Of course, the portfolio of companies/assets that comprise PE holdings represents a particularly high level of exposure to cyber threats. Cyber diligence requires specialized knowledge of systems and policies, the recognition of risk factors, and a dogged insistence on evidence.

How much capital is compromised every year due to data security problems?

Any estimate would be difficult to state with confidence. However, we do have details on publicly known incidences (Equifax, Capital One with $124M and $575M in settlements or fines) of the cost of cyber compromise, and statistics assembled by experts on trends. IBM's 2023 report Cost of a Data Breach cited an average cost of $4.45M, while many sources suggest that over 90% of company networks are 'breachable' - in the sense that their network 'perimeter' can be penetrated and access to local network resources gained. With PE firms in particular, capital compromise can take the form of diminished fund performance due to cyber compromise of a portfolio company, or the perception of risk that may bias market perception of the value of that company. Additionally, the reputational risk associated with a data security breach can affect a PE firm considerably. 

Besides cybersecurity, what other challenges do Private Equity firms have regarding data availability and management?

PE firms often have an ecosystem of poorly integrated systems that span CRM, accounting, and reporting - to name a few. The challenges of ensuring data consistency are often addressed through manual 'review and update,' which often falls to overtaxed investor relations teams to accomplish.  There is widespread investment in the integration of complex software topologies, with mixed results.  Some software is more amenable to integration than others due to poor, non-public, or non-existent APIs, for example. Working with technology providers that allow for easy integration into internal systems is a must for PE firms.

Paul Loefstedt, Principal Solutions Consultant at SS&C Intralinks will be moderating the Zero One Hundred Conferences webinar "How to Secure Data and Protect Investors" with top industry speakers Paul Harragan, Portfolio's Global Cybersecurity Lead KKR, Nigel Diesveld, CFO and Chief Risk Officer at HPE Growth; Julia Dudenko, CISO at Haniel, and Thomas Baasnes, Cybersecurity Director at Verdane.

The online event will be held on Wednesday, October 11th, at 4:30 PM CEST.

Free registration here

Blog

Other news you might be also interested in

Breaking Down the VC Fund Size Bias with VenCap International

David Clark, CIO at VenCap International, will deliver a keynote at  0100 DACH in Vienna on "What the VC Power Law Means in Practice." Ahead of the event, we spoke with him to challenge the notion that fund size determines success, arguing that strategy, founder access, and track record matter far more. Clark also debunks the small fund outperformance myth, explains how LPs should assess managers, and shares why VenCap prioritizes proven winners over emerging managers. 

Quadriga Capital: Building High-Growth Platforms in Dynamic Markets

Our latest speaker interview for the upcoming conference 0100 DACH features Jörg Mugrauer, Managing Partner at Quadriga Capital. In this insightful conversation, Jörg reflects on the unique challenges facing the DACH market and delves into thematically driven investment strategies. He emphasizes the necessity of constant adaptation in today’s dynamic environment and shares valuable insights on sustainability and exit markets, offering guidance for investors and industry professionals navigating an ever-evolving financial landscape. Jörg will also be among the distinguished speakers in Vienna from February 18–20, 2025. He is set to participate in the panel “Future Perspective of DACH Private Equity” alongside industry leaders such as Roland Dennert from Cipio Partners, Andreas Klab from Rivean Capital, and Marko Maschek from Marondo Capital.

Operational Excellence as a Catalyst for Value Creation in Private Equity: Warburg Pincus’ Approach

In this interview, Maximilian Buttinger, Vice President at Warburg Pincus, offers an inside look at how one of the world’s leading PE firms drives operational excellence across its portfolio. From strategic execution in the DACH region to leveraging AI for efficiency gains and integrating ESG principles for long-term resilience, Buttinger details the firm’s approach to balancing rapid ROI with enduring, value-enhancing initiatives.