Investors in private equity will increasingly demand that fund managers assess cybersecurity risks before handing them money, according to Coller Capital.
Limited partners such as pension funds and endowment contribute billions of dollars globally to funds raised by private-equity firms. While relatively few have been attacked, their concern over threats to cybersecurity is high.
“A cyber-attack could impact LPs in many ways, ranging from data being stolen or deleted, to attackers demanding ransom or converting funds,” Frank Morgan, a partner at Coller Capital, said in an email.
About 55 percent of limited partners expect a serious cyberattack on their firms in the next five years, Coller Capital found in its survey of 110 private-equity investors globally. As a result, the firm said in a report this week that a greater portion will require fund managers to assess cyber risks in the next few years.
Their concern about cyberattacks is merited, according to Samir Jain, a partner at Jones Day, and former senior director for cybersecurity policy at the National Security Council for the White House.
“Any significant organization in the financial industry faces cybersecurity threats whether that’s a criminal threat, a hacktivist or a nation state,” he said in a phone interview.
According to Jain, a private-equity investor could face criminal threats, like the ransomware attacks at England’s National Health Service last month. He said that a company in a fund manager’s portfolio could also see such attacks.
“We’re seeing an increasing in the number of cybersecurity attacks across the board,” Jain said. “A cyberattack can come from literally anywhere in the world. You don’t need any expertise.”
While cyber-threats are growing, Coller Capital found that just 5 percent of limited partners have experienced a significant cybersecurity incident in the past five years.
Fund managers and their investors need to be successful 100 percent of the time in protecting assets from a cyberattack, as a hacker has only to succeed once to cause major problems, Jain said. He pointed to Yahoo as an example of how a company can lose a large portion of its market value after experiencing cyberattacks.
Verizon Communications agreed in July to acquire Yahoo for $4.83 billion. Two months later, Yahoo said the internet company’s user information had been stolen by a “state-sponsored actor.” Then, in December, the company confirmed that another hack had taken place. Verizon and Yahoo lowered the purchase price by $350 million after the data breaches were disclosed, completing the $4.48 billion deal this month.
While 20 percent of limited partners surveyed by Coller Capital already require private-equity firms to perform cybersecurity risk assessments, roughly half expect to do so in the next three to five years, according to the report.
“A cybersecurity risk assessment is the first step,” Jain said. “It’s a systematic look at what types of risk are involved in the investment.”
Morgan agreed, saying that private-equity firms have more than their own businesses to worry about.
They “need to make sure there are systems and procedures in place at their own management companies to protect their assets from cyberattack,” he said. They “also need to assess the risk at their portfolio companies, which should form part of their operational due diligence.”