Best practices for a growing threat
Cybersecurity has seen particularly dramatic changes in the past several years. Work is dispersing across homes, offices and airport lounges; infrastructure is shifting to the cloud; manufacturing and supply chain processes are becoming digital; technology is evolving exponentially; attack surfaces are multiplying; and bad actors are becoming increasingly sophisticated.
The first cyber insurance policy was issued in the mid-1980s, and while initially, purchasing this type of insurance was not popular, over the past 30 years, there has been dramatic change in demand, coverage terms and losses. Cybersecurity and cyber insurance are increasingly a concern for private equity (PE) leaders due to the risks they pose to their portfolio companies and deal diligence efforts. Against this background, Grant Thornton LLP recently brought together PE operating partners, and our own experts, to discuss the best ways to approach this challenge.
Grant Thornton Cyber Risk Advisory Services Principal John Pearce noted that since 2019, the cost of ransomware demands has been increasing and often tops $200,000 per attack. While longer-term events such as class action and data breach lawsuits are more difficult to quantify, their impact has been undeniable.
Insurers have been transparent about their challenges with underwriting cyber insurance and how losses have outpaced premiums. While insurance carriers continue to learn how to profitably underwrite cyberrisks, PE has been hit particularity hard as insurers have responded to these pressures by raising rates, applying greater scrutiny to applicants, enforcing tougher underwriting standards and even limiting or restricting certain industries. In turn, this causes stress to portfolio companies when trying to secure insurance or being denied claims they thought were covered.
Best practices for portfolio companies
Given these challenges, Pearce outlined best practices for portfolio companies:
- Focus on detection, response and monitoring
- Institute multi-factor authentication
- Install — and practice — incident response and data recovery processes
Portfolio companies should also identify any gaps in their current cybersecurity strategy, perform a cost-benefit analysis of additional controls, and establish business continuity plans.
A participant who experienced a major cyberattack indicated the benefits of such practices extend far beyond improving the company’s access to affordable insurance or reducing the cost of attacks. Cyberattacks have repercussions that are hard to quantify but impossible to forget: they can profoundly affect reputational, operational and financial elements of the business and demoralize employees and clients, ultimately reducing revenue and profit.
Grant Thornton National Managing Partner, Private Equity, Carlos Ferreira concluded that “the real risk is that you don’t identify the risk.”
Best practices for PE firms
One participant discussed the unique position that PE firms occupy in relation to their portfolio companies. The relationship is fluid and is complicated by the nature of ownership or investment and the composition of the portfolio. This is further compounded by layering on the rapidity of cybersecurity change and the continuous headlines discussing ongoing cyberattacks across all industries. This can be more complicated for mid-sized PE firms because they don’t have as many resources for addressing cybersecurity as their larger peers.
For their respective portfolio companies, PE firms should consider the requirements needed to maintain appropriate levels of cybersecurity and cyber insurance coverage. While there is a wide variety of risks and needs based on the specific industry of a portfolio company, a growing trend sees PE firms building surveys to gather information and scorecards to monitor exposure across their portfolios. Several roundtable participants indicated that having access to standard education and training platforms for portfolio company employees had yielded an improvement in awareness of cyberrisks.
The current hard market for cyber insurance (and many other commercial insurance lines) is expected to continue for the foreseeable future. This reality has been driving many companies to consider self-insurance solutions. Self-insurance solutions can be structured at the portfolio company or PE level to generate a sort of shared access and aggregation of risks to gain access to a wider variety of insurance markets.
Best practices for insurance purchasers
Partnership with your insurance broker is critical when it comes to building a portfolio company’s cybersecurity risk profile. While companies should be using services and software to proactively manage cybersecurity risk, your broker will assist with industry comparatives and identify a variety of insurance markets that would offer insurance coverage.
Paying attention to per-incident and aggregate limits, as well as sub-limits, for cyberattack incidents that cause business interruption and ransomware payments is critical when evaluating the cyber insurance coverages presented by your broker. Also, understanding the risk profile of the company and knowing when to consider self-insurance options are important in risk management. Insurance advisors can be helpful in evaluating these options.
Best practices for the future
Cybersecurity is dynamic, and the regulatory environment is shifting rapidly. In early 2022, the SEC proposed rules for PE funds and other investment companies to improve investor confidence in their resilience. The new direction would require written cybersecurity policies and processes — including mechanisms for reporting significant cybersecurity incidents, disclosing cybersecurity risks, and adopting recordkeeping requirements. The final SEC rules have not yet been issued.
Participants reported that such procedures currently vary by firm, with materiality related to an attack’s financial, reputational and operational risk being an evolving consideration. Although there is broad consensus about the materiality of data theft, business interruptions of limited scale and duration may not be material. In many cases, portfolio companies rely upon third-party counsel to make preliminary determinations related to materiality.
Finally, in the absence of a substantial breach, cybersecurity breaches or lack of hygiene is not making or breaking deals or driving the sales of portfolio companies. Typically, these attacks are viewed as a weakness and are being addressed by investing into cybersecurity and insurance protection, which as discussed at the roundtable is becoming more costly. The operating partners present agreed that the rapidly changing needs to protect against cyberattacks and difficulties with securing insurance are becoming increasingly challenging. If cyberattacks continue to escalate and threaten investments, cybersecurity may become a broad challenge that PE firms will have to address.
Our private equity featured industry insights
No Results Found. Please search again using different keywords and/or filters.