Navigating the Evolving Cybersecurity Landscape: Insights from a Former SEC Advisor
By Alliant Specialty
Listen to the audio version:
The world of private equity (PE) continues to be targeted by bad actors looking for a vulnerable target. As a result, PE is facing a significant shift in the cybersecurity landscape. With cyber attacks impacting value creation and the SEC's proposed amendments to Regulation S-P (Reg S-P), PE firms are being called upon to elevate their cybersecurity posture, including understanding the cybersecurity posture of the portfolio.
To shed light on these changes and offer actionable guidance, Alliant recently sat down with Chris Hetner, a former advisor for cybersecurity to the SEC.
Hetner’s insights paint a clear picture. The SEC is expanding its expectations around protecting the investor. Traditionally, the SEC's Reg S-P focused on safeguarding investor data, such as social security numbers and account details. However, the proposed amendments to Reg S-P represent a paradigm shift, placing a strong emphasis on safeguarding the integrity of the investment portfolio itself. This means PE firms will need to demonstrate a robust understanding of their portfolio companies' cybersecurity practices and how they mitigate cyber risk to their investments.
PE firms will face increased scrutiny on how they:
- Oversee cybersecurity practices within their portfolio companies.
- Mitigate cyber risk exposure across their investments.
- Integrate cybersecurity discussions into board-level decision making.
Pillars for a Robust Cybersecurity Program
Hetner offered a valuable framework for PE firms to build a comprehensive cybersecurity program in this evolving environment for their portfolio companies:
1. Boardroom Engagement and Upfront Diligence
Gone are the days of passive board oversight on cybersecurity. Hetner emphasizes the need for active board engagement, ensuring a deep understanding of portfolio company cybersecurity practices. This includes integrating cybersecurity discussions into board meetings and making it a key consideration during the due diligence process. Upfront assessments should go beyond financial health to identify potential cyber vulnerabilities in target companies.
2. Continuous Risk Assessment and Prioritization
Cybersecurity is not a one-time fix. Hetner highlights the importance of ongoing risk assessments across the entire portfolio. These assessments should not be generic—they need to consider the specific industry threats faced by each portfolio company. By understanding the unique risk landscape, PE firms can prioritize investments in cybersecurity controls, allocating resources where they are needed most.
3. Bridging the Gap: Communication and Business Context
Technical jargon can create a communication gap between cybersecurity professionals and boards. Hetner emphasizes the need for clear and concise communication, translating technical risks into business language that resonates with board members. Furthermore, cybersecurity investments should align with the financial and operational context of each portfolio company.
4. Streamlining for Efficiency and Utilizing External Expertise
Managing cybersecurity across a diverse portfolio can be complex. Hetner suggests streamlining the cybersecurity technology stack whenever possible. This reduces management overhead and potentially lowers costs. Additionally, leveraging data and analytics from external experts can provide valuable insights into industry benchmarks and best practices.
5. Building a Dedicated Operational Risk Team: Sharing the Burden
The increased focus on cybersecurity creates a significant burden for PE firms. Hetner acknowledges this challenge and proposes the creation of a dedicated operational risk function within the firm. This team would be responsible for overseeing cybersecurity risk across the portfolio, integrating it with other relevant considerations like legal, regulatory and supply chain risks. Firms can also leverage external expertise for data analytics and industry insights, ensuring the firm has access to the most up-to-date information and best practices.
Conclusion: A Proactive Approach is Key
The guidance offered by Chris Hetner is clear: PE firms need to be proactive in addressing the evolving cybersecurity landscape. By adopting a comprehensive approach that incorporates board oversight, due diligence, ongoing risk assessment, clear communication, streamlined technology and the creation of a dedicated operational risk team, PE firms can demonstrate strong cybersecurity governance and protect their investments in the face of the pending SEC rule changes.
To adhere to these best practices, PE firms should work with a specialized insurance broker who understands their unique risks and can help navigate the evolving cybersecurity landscape with tailored risk remediation, management and transference solutions.
Remember, in today's environment, a robust cybersecurity posture is no longer just a best practice—it's a necessity. Contact Alliant today to meet cyber risk and transference objectives and stay resilient in the face of emerging threats.
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.