skip to content

Managing cybersecurity risks across private equity firms’ portfolio companies


Cybersecurity is top of mind for many organizations. It’s even more important for private equity (PE) firms and their portfolio companies, which are looking to optimize performance.

The two biggest cyber threats to companies right now are ransomware and business email compromise.

Young Asian business woman using smart phone in a Virtual Reality
In an August 2023 report, the Canadian Centre for Cyber Security says, “ransomware is almost certainly the most disruptive form of cyber crime facing Canada.”

Many ransomware attacks use a double extortion tactic. This is when the perpetrator steals information, encrypts it, and threatens to sell or release the information to the public if the ransom isn’t paid. Unfortunately, many attackers are in safe havens and can easily avoid prosecution from Canadian authorities.

The other major threat is business email compromise. One of the most common scams are false invoice or impersonation schemes. For example, the threat actor will take control of an employee account to change the information for invoice payments. Or they may impersonate a vendor or business partner, which results in fraudulent transactions.

While every company is a potential target for a cyber threat, some portfolio companies may face more threats than others. In 2022, the Canadian Anti-Fraud Centre noted the five most impersonated sectors were governments, delivery agencies, retail, health, and finance.

A company’s cybersecurity risk profile will be affected by the industry in which they operate, the type of sensitive data they collect and store, and the intellectual property they own. Companies that support governments (federal, provincial, or municipal) as a client are typically more highly targeted.

PE firms’ portfolio companies or the companies they plan to buy might not have a cybersecurity strategy or a robust program in place to manage cyber risk. High risk can be introduced if cybersecurity due diligence is not performed. 

Not all portfolio companies are created equal, nor are their associated cyber risk profiles. Right sizing assessment methodologies and mitigating actions are key to ensure the most value is achieved through security efforts. 

The impact on valuations

As many PE firms are focused on growing and optimizing their portfolio companies, investing in cyber risk management is a great way to preserve value and manage against introducing critical risks into the company. 

It’s important to have an emphasis on value creation but neglecting cybersecurity risks can also leave portfolio companies open to additional threats and reduced value during due diligence. An investment in cybersecurity measures will not only better manage the risk of cyber threats against the portfolio company, but it can also improve valuations and avoid a negative impact on company worth and value deterioration if a breach were to occur. 

Companies that have been the victim of attacks have seen their value decrease. For example, Verizon lowered its original offer for Yahoo by US$350 million in 2017 after the internet company revealed two data breaches. And SolarWinds—a software company majority owned by two private equity firms—saw its stock drop 40% in one week in December 2020 after U.S. government agencies were breached through its software.

Preventative measures

Threat actors can be nation states, cyber criminals, or thrill seekers, and the ability to execute an attack is becoming easier as they can access information online through forums, sharing platforms, or the dark web.

To combat this, PE firms need to act. The investment team and the C-suite at every portfolio company will have to make collaborative decisions to protect their businesses. Cybersecurity is more than just an IT issue.

They should consider the following steps:

Identify the most critical assets and business functions
Assess cyber risk against those assets and assess your portfolio companies’ resilience to cyber risk
Effectively manage risk by implementing baseline security controls across your people, processes, and technology
Continuously identify, assess, and manage risk as your business and technology environment evolves
Build cyber risk management into your culture

Most importantly, private equity firms should conduct a more formal and independent review across every portfolio company to assess how each cyber program is performing and monitor the portfolio companies for assurance and peace of mind. A trusted partner can be enlisted to help with this last step.

How we can help

Our team of technology practitioners has provided customized and practical cybersecurity solutions to hundreds of public and private companies in a variety of industries. Our private equity professionals know how deals are structured and how they’re done. We work together to provide you with solutions that are right sized for your company.

This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our privacy statement for more information on the cookies we use and how to delete or block them.

Accept and close