Q&A: Tackling cyber risks in the private equity industry

October 2023  |  SPECIAL REPORT: PRIVATE EQUITY

Financier Worldwide Magazine

October 2023 Issue

FW discusses tackling cyber risks in the private equity industry with Paul Harragan and Thomas Kim at Kohlberg Kravis Roberts & Co. L.P. and Zach Scheublein at Aon plc.

FW: How would you characterise the cyber risks currently facing the private equity (PE) industry? Have attacks targeting fund managers and their portfolio companies increased in recent times?

Scheublein: The private equity (PE) industry ecosystem continues to be a highly targeted industry by threat actors given the sensitive data involved with transactions, the general lack of cyber resources together with the sophistication level of the small and middle market sectors in which the PE industry traditionally invests, and publicity of acquisitions. In general, we have seen an increase in cyber attacks within the world of M&A. According to the Federal Bureau of Investigation, ransomware threat actors often target portfolio companies of PE firms as they are seen as easier targets with more financial resources to pay ransom demands. In 2023, eight PE firms were posted to various ransomware blogs, with the Lockbit gang targeting three, the 8Base gang targeting two, the CL0P gang targeting two, and the Black Basta gang targeting one PE firm.

The cyber insurance industry is continuing to try and build products and solutions that can better help buyers improve risk posture.
— Zach Scheublein

FW: How important is it for portfolio companies to monitor and protect against cyber threats? In your experience, do they often lack the cyber maturity and security defences required to do so?

Harragan: Managing cyber security risk is difficult. Understanding portfolio risk and threat management is even harder. In 2023, adopting a vanilla or boilerplate-style approach is typical in portfolio management within PE, to help understand the risk position. However, this approach does not take into consideration the unique complexity of each portfolio business, such as different operating models, geographies, scale, investment thesis and so on, which leads to each portfolio business having a different, mostly unique, threat model and risk profile. The implementation of foundational information security and cyber defence safeguards are a common criterion that all businesses are subject to, regardless of if you are in the retail industry or part of critical national infrastructure. This is an important metric to measure, ensuring the basics are done, and the portfolio companies do not fall victim to any unsophisticated and preventable attacks. In addition, preparedness is key. Helping support and guide portfolio companies in understanding their threat landscape will aid them in testing against different scenarios they may fall victim to. Evidencing a proven response and recovery position if a crisis were to occur helps provide confidence in investor relations.

FW: What initial steps should PE managers take in response to potential cyber threats? How useful can an authorised simulated cyber attack be to identify vulnerabilities?

Harragan: We would encourage all PE managers to understand their confidence position in response and recovery planning. Having a plan on paper is good but often does not play out to plan when a real crisis occurs. Simulation and gamification exercises involving varied business stakeholders across different threat scenarios can provide valuable insight into how crisis and communications are managed when dealing with various incident profiles. How an incident is handled from start to finish can often impact service and customer reputation in either a positive or a negative way.

How an incident is handled from start to finish can often impact service and customer reputation in either a positive or a negative way.
— Paul Harragan

FW: In terms of transferring risk and protecting the downside, how important is it for PE firms to examine their insurance policies from a cyber angle, to ensure they optimise coverage in the event of an incident?

Kim: We believe that every PE firm and its portfolio companies should evaluate the purchase of cyber insurance as part of a holistic approach to cyber security. PE firms should invest in building relationships with best-in-class cyber insurance firms, including brokers and insurers, and leverage these relationships to negotiate broad coverage terms and competitive rates on behalf of their companies. While cyber insurance is a key part of the toolkit, it should not be the only tool and should be complemented by robust cyber security protocols.

Scheublein: The cyber insurance market is still in its infancy as a product, compared to more traditional insurance products, which means that there is very little in the way of standardised product language across the industry. For PE firms, it is critical to conduct appropriate due diligence to ensure the scope of coverage and alignment of terms in accordance with the portfolio’s industry composition and nature of operations. Placing coverage with markets with a consistent track record of paying claims is also a vital factor when selecting an insurance provider to help optimise the financial recovery process in the event of an incident. Lastly, an important yet sometimes overlooked component in helping to optimise the claim process is coordinating with your broker and carrier on incident response vendors, primarily legal and forensic providers, as part of your insurance placement strategy. Having to negotiate an agreement with incident response vendors during an actual crisis is not an effective process.

FW: In what ways is the cyber insurance market evolving to meet the unique demands of the PE industry? Are suitable products being tailored and adapted accordingly?

Kim: The insurance industry has done a good job crafting solutions to manage cyber risk, which is complicated and ever evolving. There is still room to grow, however. One area where we would like to see the insurance market mature is in clarifying how insurance responds to social engineering (SE) and wire fraud incidents, and creating a single policy that can respond to both cyber security and SE incidents. Many of the portfolio companies we interact with seem to believe that their cyber insurance covers SE claims, and, while many cyber policies provide some limited coverage, it is typically capped at a de minimus amount of insurance. Traditional crime insurance policies may also provide limited coverage for SE claims but similarly the coverage is limited, and this creates even more confusion among portfolio company executives.

Scheublein: Generally, the insurance market is often viewed as operating in a reactionary manner to evolving threats, like cyber. The cyber insurance industry is continuing to try and build products and solutions that can better help buyers improve risk posture, quantify risk and more effectively respond in the event of an incident. Progress is still being made, but brokers and carriers, especially those with dedicated PE experience and focus, should be constructing enhanced risk management and transfer solutions. The construction and management of a collaborative and aligned ecosystem of cyber risk management stakeholders – PE firms, portfolio companies, brokers, carriers and security vendors – to build a comprehensive risk management platform and incorporate it into a bespoke cyber insurance programme offering is part of an optimal approach to help support sustainability and value creation.

The insurance industry has done a good job crafting solutions to manage cyber risk, which is complicated and ever evolving.
— Thomas Kim

FW: What essential advice would you offer to PE firms on implementing robust cyber security measures to safeguard business value and maximise returns?

Kim: Robust cyber security measures are good corporate governance. It is a board-level topic and critical to enterprise risk management. Chief information security officers and risk managers should partner together.

Scheublein: The PE industry can significantly advance cyber security resiliency across all industry sectors. Cyber security risk management should be seen as an opportunity to create value from acquisition to exit. Certain PE firms are building a set of cyber security standards and requirements for portfolio companies while building teams, either internally or in partnership with third parties, to oversee effective remediation. With the increased threat of ransomware and threat actors exploiting zero-day vulnerabilities affecting multiple organisations, a robust cyber security and data breach response plan should be included in capital expenditures or operating expenses calculations, as part of that value creation.

FW: What predictions would you make about the nature of cyber threats the PE industry will need to address over the coming years? Will they need to remain proactive in their response?

Harragan: Inside of a PE house, the funds are often considered the highest prize for threat actors and, in particular gaining access to the funds’ flow process. I believe the future will require fund managers to pay close attention to authentication procedures. With the advancements of deepfakes and generative artificial intelligence interpreters, it will be difficult to authorise and prove trust relationships with third parties, especially in the funds’ flow process, where big money flows are called upon to complete transactions. Having robust and trusted processes will be required to prevent any injections into the flow that could divert away from trusted sources.

 

Paul Harragan is KKR’s global cyber security lead for the firm’s portfolio. He is a seasoned information security and cyber defence executive. Prior to joining KKR, he was an associate partner with EY-Parthenon and led EYP’s cyber security practice across Europe, advising both private equity and corporates on cyber security strategy, risk and transformation. Mr Harragan is also an advisory board member at venture capitalist firm Ten Eleven Ventures.

Thomas Kim is KKR’s global leader for insurance, including oversight of insurance optimisation across KKR and KKR’s investments, innovation of KKR’s proprietary cross-portfolio insurance programmes, including cyber insurance and global insurance due diligence.

Zach Scheublein partners with private equity firms to build cross-portfolio cyber programmes. He has over 15 years’ experience as a broker in the professional liability and cyber insurance space. He can be contacted on +1 (917) 494 3473 or by email: zach.scheublein@aon.com.

© Financier Worldwide

THE PANELLISTS

 

Paul Harragan

Thomas Kim

Kohlberg Kravis Roberts & Co. L.P.

 

Zach Scheublein

Aon plc.

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.