Data protection and privacy are no longer the sole preserve of IT or legal departments: information governance is a board-level responsibility, and the risks of overlooking this area are publicised repeatedly through the reputational, financial, legal and regulatory fallout from high-profile incidents. Private equity firms hold large volumes of data concerning their investment targets, their limited partners and employees, as well as vendors and other counterparties, but they also have an additional vulnerability: their portfolios. Despite this, S-RM’s research indicates that data protection is still receiving insufficient attention across the private equity industry. Here, cyber experts Harriet Martin and Felicity Loudon outline ways in which private equity clients can identify and manage data risk throughout the investment cycle and across a portfolio.
Data protection is too low down the list
In 2024, we surveyed 200 respondents across the private equity, venture capital and investment sectors in Europe and North America. Only 27% of private equity respondents said organisations in their investment portfolio had key performance indicators or targets to measure data protection and privacy, and just 25% reported that data protection was included on their risk registers.
Our survey also asked questions about Environmental, Social and Governance (ESG) issues, and these answers form a constructive comparison. Given the relative novelty of ESG as an area of corporate responsibility, and its inherent complexities, you might expect firms to be playing catch up here. However, ESG has gained a meaningful head start over data protection: 97% of respondents reported that they considered ESG as a factor in their investment decision-making process, and 86% reported that their portfolio companies had a high or medium level of maturity in their ESG programmes. Whilst that’s good news for ESG, there’s clearly more to do in the data protection sphere.
The private equity industry faces a high level of scrutiny from investors and regulators, meaning otherwise low-risk portfolio companies may attract attention simply by virtue of their private equity investment. Further, a diverse investment portfolio can make compliance with data protection regulation challenging: investments are frequently spread across multiple jurisdictions and industries, all of which may operate in different risk landscapes and under varied legal and regulatory obligations.
Data risk for private equity firms’ portfolio companies is also multi-faceted:
- Firstly, the risk of a threat actor accessing sensitive data, whether that’s an organised criminal group, disaffected insider or even a hostile nation state. This data might be used to enable further cyber attacks on the firm itself or its private equity investor. Alternatively, the data itself might be the object of the attack: most commonly for extortion purposes, but the investment information may also be sold on the dark web to other threat actors.
- Secondly, the risk of data integrity compromise, whether by a malicious third-party or an insider. Firms and their customers make daily decisions on the basis of internal and public-facing data, and failing to safeguard it can be ruinous to a company’s operations and reputation.
- Thirdly, legal and regulatory obligations are complex and ever-evolving. Especially for firms with investment portfolios across multiple industries and jurisdictions, ensuring the entire portfolio is compliant is a complex task, with the threat of significant fines and associated reputational damage if best practice isn’t achieved.
Managing data risk throughout the investment cycle
S-RM’s experience helping private equity clients identify and manage data risk shows us that significant improvements in data protection, throughout the investment cycle and across a portfolio, are both achievable and impactful. With appropriate support, portfolio-wide data risk programmes can also be managed effectively even by those without a cyber security or data governance background.
Pre-acquisition
For private equity firms, preparation must start pre-investment. S-RM’s research shows that the average cost of a single significant cyber incident is approximately USD 3.4 million, including costs associated with business disruption, fines, intellectual property loss and reputational damage. Before any acquisition, it is vital to establish an accurate view of a target’s cyber risk exposure. This doesn’t need to impact the attractiveness of a potential investment. For example, a target may demonstrate a poor level of cyber maturity at the point of acquisition but the due diligence process enables investment teams to (a) surface this risk at the pre-investment stage and take steps to protect what may otherwise be a highly compelling investment, and (b) incorporate into their valuation models the anticipated capital investment required to achieve sufficient levels of data protection. Despite this, some private equity firms still make investments hoping for the best when it comes to data protection, rather than objectively evaluating—and pricing—their assumed risks.
The first 100 days
Newly-acquired companies may also be particularly prone to data protection risks during the first 100 days post-acquisition. This period may be characterised by a higher-than-usual rate of personnel changes and IT estate integration programmes. Both provide opportunities for threat actors to exploit data protection gaps around payment approval processes or the setting up of new roles and permissions across the IT environment. Investment managers play an important role in safeguarding their new acquisition during this period, by providing data-governance and data-protection guidance and expertise, especially for entities whose in-house maturity has been flagged as underdeveloped at the pre-investment stage. For investment managers who lack the skills or confidence to perform this role themselves, bringing in targeted expertise, either in-house or externally, can be invaluable.
Holding period
Completing cyber diligence pre-acquisition also establishes a baseline of what portfolio companies will be expected to uphold throughout the investment lifecycle. Setting a culture of continuous improvement and accountability via ongoing monitoring is essential. Best practice for private equity firms is to run a periodic—at a minimum annual—review programme across the entire investment portfolio, to ensure that data protection standards are maintained and improved over time.
It’s important that this review programme moves beyond a simple checklist of processes and procedures. It should provide actionable insights based on current data protection trends, be they new threats or new regulations, as well as realistic pathways to remediation, targeted to the capabilities, budgets and risk profiles of the specific companies in question. This process won’t look the same for every firm: it’s important that risk management initiatives are tailored to the private equity firm’s processes, culture and level of engagement with their portfolio companies, and is delivered at an appropriate level of technical detail.
Whether data risk is something you’re just starting to consider, or you’d like to benchmark your current practices against your industry, please reach out to Harriet Martin or Felicity Loudon – we’d be delighted to help.
