Access: Defending our Digital World
"If it's smart, it's vulnerable" - Mikko Hypponen
Hello reader,
Welcome to the 23rd edition of Access.
Have you ever thought about how much of your life is online? If you’re anything like me, your work life is almost completely digital, despite the charming and slightly outdated reminders of an analogue world that still linger. (Envelope icons for emails? Paper clips for attachments? I could go on…)
In our digital world, cyber risks are ever-changing, and execs are paying attention.
“The expanded attack surface, combined with a rapidly evolving threat landscape, is causing cybersecurity to soar up the boardroom agenda.”
- Paul Ponzeka, CTO at Abacus Group
An evolving risk and security landscape brings both challenges and opportunities. This week, we delve into the world of cybersecurity to explore what this looks like from a private markets perspective.
If you’re taking some time off over this weekend, enjoy! We wish you a very peaceful break and look forward to being with you (digitally speaking) next week.
Until next time -
Liz & Melissa
In case you missed it…
Last week’s edition was a deepdive into all things B Corp, including:
FEATURING:
In Brief: News & Views From Across Our Network
The Fallout from SVB is Decidedly Undecided
People News, Moves and Promotions
PRI Releases Results From Signatory Consultation
In Depth: Cyber Defences for Private Capital
IN BRIEF
The Fallout from SVB is Decidedly Undecided
Whilst there’s no doubt the collapse of Silicon Valley Bank has impacted many people and companies across the globe, it’s a bit early to be predicting the long term impact. That, of course, hasn’t stopped commentators from weighing in.
This week, the Financial Times told us, in a rather depressing piece, that ‘Venture capital funding in start-ups halves as tech downturn bites’, and on the same day, their Adventurous Investor asked ‘Are venture capital funds about to lift off?’
(Sidenote - this is no criticism of the FT, we love a bit of a healthy debate and many a conversation benefits from greater diversity of opinion).
The second piece in particular is worth a read. It walks through some of the complexities of VC valuations, along with some informed opinions about what’s going on in the market right now. Take a read, let us know what you think.
***
People News, Moves and Promotions
It’s been another busy week for people moves.
First off, congratulations to one of our favourite PE people, Dave Rogers, who joins Grant Thornton as an Associate Director in the Technology Consulting Team. He will focus on delivering IT transformation & technology due diligence and M&A support to Corporate and Private Equity clients.
We’d also like to say a big high five to Ekta Mulchandani, who leaves her role at Holland Mountain (and big shoes to fill!) to join CVC as an associate… Congrats also to Ajmal Salim who is promoted to Assistant Manager, Fund Systems at Ocorian… and Christopher Dixon who joins the Allvue Systems team as a Sales Director… And also to Ben Lucas, who leaves KPMG where he headed up their UK Asset Management team, to join Amundi Technology as CEO.
***
PRI Releases Results From Signatory Consultation
Over a 3-month period, David Atkin, CEO for Principles for Responsible Investment (PRI) led 19 workshops with ~400 signatories across 10 countries. The report published on their website last week is the outcome of this consultation.
“We know that our organisation has a vital role to fulfil at the heart of the global responsible investment ecosystem – one which is rapidly evolving.”
While a third of respondents believe that managing ESG risks is the sole dimension of sustainable investment, more than half said they see the future of responsible investment as inclusive of both ESG risk management, and identifying and acting on sustainability outcomes. And a vast majority (95%) want to progress responsible investment activities in a voluntary, non-prescriptive way, relevant to their organisation.
IN DEPTH
“There are only two types of companies: Those that have been hacked and those that will be hacked.” - Robert S. Mueller, III, former Director of the FBI
Cyber security is one of those topics that most of us don’t give much thought to until something goes wrong. When that happens, the impact can be far-reaching and for some organisations, catastrophic.
Earlier this year, the UK’s Royal Mail was the target of a cyber attack that took out its international delivery network. After refusing to pay the £67m ransom, it took nearly six weeks to resume deliveries.
More recently, concerns have been growing over social platform Tiktok. CEO, Shou Zi Chew, appeared in front of US lawmakers last month to defend connections between China and TikTok’s parent company, ByteDance. The NSA’s head of cyber security has labelled the app a ‘Trojan horse’, and in the last few days Australia has joined the UK and US in banning TikTok from government employee devices.
Cyber Security in PE
There are a couple of different angles on cyber risks for private equity firms. Firstly, the firm itself needs to make sure it has adequate protection, and secondly, it has a responsibility towards its portfolio companies, both in terms of due diligence before investment, and then building resilience against security risks and cyber attacks, which directly translates into value for a potential exit.
“We might ask PE managers: If the systems are down, how much would they lose each day? What’s the impact?”
- Jon Moore, CRO at Clearwater
The sensitive financial data and intellectual property owned by private equity firms makes the industry a prime target for cyber criminals. Areas of risk include the opportunity to access funds, multiple points of vulnerability across operations, data exchange with third party vendors, increasingly connected software systems and employees’ digital behaviour, especially now that many employees are accessing workplace apps remotely from their phones, tablets, laptops, & smart watches, as well as their office workstation.
Gartner predicts that at least 50% of C-level executives will have performance requirements related to cybersecurity built into their employment contracts by 2026, an imperative that puts further pressure on business leaders to strengthen their organisations’ cyber defences.
- Paul Ponzeka, CTO at Abacus Group
Despite the obvious risks, just 23% of international private equity firms have an operational and compliant cyber security programme in place.
Threat Assessment
Ransomware seems to come top of most people’s lists when we ask about cyber risks. In simple terms, its a piece of malicious software, or malware, that prevents access to a device and the files stored on it. IBM puts the average cost to a target of a ransomware attack in the US last year at a staggering $4.5m, although this is dwarfed by the cost of data breaches in general, which sits at $9.5m.
For firms looking to strengthen their defences, RFA’s cyber team suggests developing a recovery plan, focusing on ‘when’ not ‘if’ this will occur.
“The first step of this plan is to identify and protect critical data. Step two is to implement solid and robust backup procedures so a firm can continue to work irrespective of the damage caused by the attack.“
Another area of concern is zero-day vulnerabilities. These are unknown security flaws in software that hackers exploit before a patch is available. Agio’s CEO Bart McDonough recommends ensuring critical data is backed up regularly, and educating employees on how to spot and report suspicious activity.
“Given the growing threat landscape, private equity and hedge fund firms must consistently take proactive cybersecurity measures.”
The uncomfortable truth is that most cyber-attacks are enabled by employees unwittingly providing hackers with a way into a company's systems. Security awareness training and education is increasingly an essential part of private equity firms' cyber security strategy. Employees should be trained about phishing scams, password hygiene best practices, the importance of keeping software up-to-date, and how to recognise and report security breaches.
ECI published an interesting article earlier this year on striking the right balance between seamless and secure, explaining that when “security policies impede productivity, employees are likely to find workarounds that introduce enterprise risk.”
Cyber Professionals in Private Markets
Cyber security professionals in private equity have the difficult task of implementing all the right tools and processes to keep the company safe, but without disrupting the deal-making process. We took a closer look at a handful of the cyber security profiles in the industry…
With over 10 years' experience in technology and cyber security, Matthew Ferguson is the Head of Cyber Security at London-based IMMO Capital. Ferguson joined the team in September 2022 having previously worked at 6point6 (a PE-backed IT services firm) and Octopus Investments. In November 2022, he was a guest on the Evo Cyber Security podcast where the panel discussed operational resilience ⬇️
From a cyber security due diligence perspective, Jennifer Wong has over 17 years experience, and is currently a Principal at Boston Consulting Group. With a specialist background in IT, Wong joined JPMorgan in 2015 working on security operations within their Corporate & Investment Bank (CIB) division, before moving to EY to advise on cyber security, privacy and resilience, pre- and post-deal M&A.
John Nugent is VP for Technology and Cyber at Apax Partners LLP. He joined in 2020 from PwC where he ran the Cyber Deals practice, identifying, managing and resolving cyber risks through the deal lifecycle. Prior to PwC, Nugent was at Control Risks as Practice Lead for Cyber Threat Intelligence and Cyber Consulting.
As IT director and Head of Cyber at ECI Partners, Ash Patel holds a dual role. He is responsible for keeping ECI secure, whilst supporting their portfolio to analyse any cyber gaps and build a robust cyber roadmap.
As Ash describes in a conversation with Partner Suzanne Pike, these growing vulnerabilities apply not only to private equity firms, but also to the companies they invest in, from due diligence and onboarding, to integration and exit.
“When we’re invested, we see it as part of our duty and good governance to make sure we can help them to monitor cyber risk and provide real support for portfolio companies to fix any potential issues.”
- Ash Patel, ECI
There is a real demand for cyber security solutions across all industries, not least because accelerated digital transformation has created more spaces for cybercrime to occur. More companies are raising their budgets for cyber security, and in turn the market climate has opened up more opportunities for cyber security firms to look for investor funding.
Investing in Cyber
For fund managers specialising in technology deals, cyber security investments have remained a priority. Over the past five years, the top 10 most active PE investors in cyber security have completed 146 deals, with a median deal size of over $541 million.
In 2022, deal activity saw a particular interest in consolidating a subsector of cybersecurity - identity and access management. Software-focused private equity firm Thoma Bravo completed two notable acquisitions: SailPoint Technologies Holdings Inc. for $6.9bn and Ping Identity Holding Corp. for $2.8bn.
One of the largest cybersecurity deals included the $14bn take-private deal of security software firm, McAfee. The transaction in 2021 was made by a consortium led by private equity firm Advent International, with Permira Advisers LLC, Crosspoint Capital Partners and Canada Pension Plan Investment Board amongst the group of investors.
Founded in 2015, Option3 is a US-based specialist cyber security private equity fund, focused on combining expertise in national security with a wealth of investment and M&A experience. The Option3 team invests directly in mid-market companies and via their C2 cyber security private equity fund, one of only a few cyber-focused funds beyond venture investing.
It’s clear that private equity firms face significant cyber security risks to their own operations, in addition to the threats posed to their portfolio companies. There is also a unique backdrop to all this, which Paul Harragan at EY sums up very nicely:
“The purpose of a PE investment is to change or evolve the way the business operates, which necessarily changes the threat landscape. In turn, an expanded threat landscape means that cybersecurity needs to be readdressed and threat modelled to understand the future risk position.”
This theme of constant vigilance is a common one in cyber security, and perhaps lends weight to the quote at the beginning of this piece. Working on the basis that it’s a matter of when, not if, what will you do to combat cyber threats?
And finally… Downing Street x TikTok
We were curious about what government officials were actually using TikTok for, so we took a quick look around and found this gem.
The BBC sums it up best:
‘Downing Street - which last posted a TikTok video of Larry the Cat predicting football results - said it would continue to use TikTok to get the government's message out. It said there were exemptions to the ban under some circumstances.’
- BBC News
Tiktok failed to load.Enable 3rd party cookies or use another browser
Thanks for reading. If you don't want to miss our next newsletter, please add Access to your contact list. (Or move this email from "promotions" to your primary inbox.)