Embed Size (px)
Citation preview
Cybersecurity for value creationPrivate Equity Survey
Foreword 04
Cybersecurity for private equity 06• Cybersecurity across large-, mid- and small-cap firms 08• Cybersecurity in the deal process 10• Mitigating cybersecurity risks 12• Setting Board performance measures 14• Making cybersecurity risk management cultural 16• Driving competitive advantages 18
►Actions for improvement 20
Survey methodology .22
FOREWORD
FOREWORD
The private equity (PE) sector thrives on opportunity and cybersecurity is increasingly becoming just that. The past 18 months has seen buyout firms make a succession of strategic investments in cybersecurity businesses. While this proves that PE sees the value of the sector itself, it does not shed light on how PE is approaching cybersecurity within its own portfolio companies.
Our report Cybersecurity for value creation surveyed 50 UK-based private equity general partners with assets under management of at least £500mn. It charts the maturity level of the sector in its approach to cybersecurity at every stage of the deal cycle. Our research focuses on PE firms’ attitudes towards the cybersecurity risks faced by their portfolio businesses and how cybersecurity might impact the value of these investments.
For PE firms, this applies to every business in the portfolio: mitigating cybersecurity risks and striving for best practice will drive growth in those businesses and ultimately secure greater value at the point of purchase or exit.
Our report finds that many PE firms need to do more to realise the value that strong cybersecurity can bring to their portfolio companies. PE has to be proactive in pursuing these gains, building governance structures through which they can raise standards across all their companies.
As cyber-attacks proliferate and public scrutiny of breaches and failures intensify, the value available from leading on cybersecurity is growing all the time. By having solid cybersecurity measures in place, PE firms can have confidence in managing any potential threats to their individual assets and overall portfolio.
In the last few years, digital disruption and media coverage of cyber-attacks have pushed cybersecurity risks firmly to the forefront of business thinking. When not managed correctly, there are few things as disruptive as a security or data breach. As a result, cybersecurity has risen quickly up the agenda of private equity investors as a core factor in the ongoing value of a company and as a major consideration in any M&A decision.
Despite the growing awareness around cybersecurity issues, our research suggests that the PE industry’s cybersecurity maturity level is still low to medium.
PE firms are at a similar stage in their cybersecurity evolution to sectors such as energy and life sciences, but behind leaders like technology, media and telecommunications1.
There are also differences between the largest and smallest surveyed PE firms when it comes to their vision for cybersecurity. The larger firms are placing cybersecurity as a higher strategic priority. As a result, they are investing more around cybersecurity to drive value across their portfolio.
Across all the surveyed PE firms, the rise of sophisticated attacks, new regulations and emerging technology (such as artificial intelligence) present the greatest cybersecurity challenges across investment portfolios.
PE firms must be confident not only that their own cybersecurity is robust, but also that their portfolio companies are equipped to confront both existing and emerging risks. More work is needed on cybersecurity leadership mindsets; on due diligence across the entire deal lifecycle; and on quantifying cybersecurity risks with the right value measures.
Increasing numbers of PE firms are recognising that a greater focus on cybersecurity represents an opportunity to enhance their investee businesses.
1 EY’s Cybersecurity for competitive advantages report that looks at how cybersecurity maturity levels vary across UK sectors.
Which of these do you believe creates the greatest cybersecurity challenges across your investment portfolio?
The rise of new and sophisticated attacks
The rise of new regulations
The rise of new technology
The rise of hacktivist groups
The rise of data
34%
28%
22%
10%
6%
Cybersecurity across large-, mid- and small-cap firms
Looking at the different cybersecurity approaches across the sector.
Cybersecurity in the deal process
Using cybersecurity to inform investment decisions across the whole deal lifecycle.
Mitigating cybersecurity risks
Enforcing the right governance for progressing cybersecurity efforts in the long term.
Setting Board performance measures
Extending knowledge of the cybersecurity process to the Board and investors by applying the right metrics and measurements.
Making cybersecurity risk management cultural
Thinking laterally when it comes to cybersecurity risk across the whole organisation, from the technology to the people.
Driving competitive advantages
Improving cybersecurity to positively impact investments using it as a tool to drive value and market advantages across the portfolio.
This report explores six key areas:
1
32
4
5
6
Cybersecurity for private equity
6 7 6 7
Cybersecurity across large-, mid- and small-cap firmsOur survey reveals differences between the largest and smallest PE firms when it comes to investing in cybersecurity, with access to budgets and resources playing a part.
While 92% of large PE firms have a member of their management team with overall responsibility for cybersecurity, this drops to 19% for mid-market and 10% for small-cap firms. More than ever, in an intensely competitive marketplace, recruiting in-demand and highly skilled cybersecurity professionals is becoming more difficult and expensive for smaller PE firms.
Over four-fifths (85%) of large PE firms are also prepared to invest between 5% and 10% of deal value to reduce cybersecurity risk, while 69% of mid-market and smaller firms are more likely to invest between 2% and 5%.
Meanwhile, 62% of large PE firms believe that more than 25% of deal value could be affected as a result of a security breach. In light of this, 85% of large firms view cybersecurity as a high strategic risk that can erode deal value, compared to 31% of mid-market and 10% of smaller PE firms.
Furthermore, all respondents from large PE firms feel investing in a company with robust cybersecurity is important when making investment decisions. All large PE firms surveyed believe in investing in cybersecurity as a means to drive competitive advantage across their portfolio.
PE firms where cybersecurity is viewed as a high strategic risk that can erode deal value
PE firms that have a member of their management team with direct responsibility for cybersecurity
Large-cap firms
85%
92%
Small-cap firms
10%
10%
Mid-cap firms
19%
31%
All surveyed large cap PE firms feel investing in a company with robust cybersecurity is important when making investment decisions and believe in investing in cybersecurity as a means to drive competitive advantage across their portfolio.
8 9
Just as cybersecurity due diligence should be enforced to secure the best deal for an asset, equal precautions should be made to get the most value from an asset. Buyers will be looking at this as an issue to lower deal price, so having governance processes in place to maximise deal value throughout ownership can have a significant impact.
Michael Young, Director, Cybersecurity – Transaction Advisory Services, EY
Cybersecurity in the deal processFor PE firms of all sizes, cybersecurity should be informing investment decisions across the whole deal lifecycle. Our survey reveals that cybersecurity is viewed as a major risk in pre-deal and as part of portfolio reviews, but less so at the post-deal or exit readiness stage.
Almost half of all surveyed firms regularly include cybersecurity risk assessments in their pre-deal processes compared to just over a quarter in their post-deal ones.
PE firms recognise that cybersecurity issues have the potential to have a significant impact on the value of the businesses in which they invest.
However, by focusing on due diligence and overlooking the risks at exit readiness, this is likely to undermine the potential sale of a business.
By regularly enforcing cybersecurity measures across the entire deal process, PE firms can ensure they are not running with unknown risks throughout business ownership.
Dealing with dynamic businesses means a regular process of cyber risk assessment. The increased risk across industries is concerning and before we enter into deals, we need to determine the level of risk overall.
Managing Partner, Small-cap firm
Of PE firms regularly include cybersecurity risk assessments in their pre-deal
Compared to only 26% at post-deal
46% 26%
Of PE firms look to detect cybersecurity issues as part of their portfolio review
As part of pre-deal
Across their ownership lifecycle:
34%
24%
At exit readiness
24%
‘‘ ‘‘
10 11
Mitigating cybersecurity risks
Which of the following do you think could most help mitigate cybersecurity risks across your investment portfolio
Improving investor and partner awareness
20%
Clearly identifying a person or team with overall responsibility for cybersecurity
36%
Making cybersecurity risk assessments a strategic priority
44%
For the surveyed PE firms, three key areas would help them get higher returns from their cybersecurity strategies.
Nearly half believe that making cybersecurity a strategic priority would help mitigate breaches and data risks across their portfolio. For companies looking to improve their security posture, cybersecurity should be set and measured against business performance goals. This will help to ensure that company growth can be achieved in the most secure way.
Identifying a person with overall responsibility for cybersecurity is another area that would help PE firms reduce their cybersecurity risks. Partners and owners of the business should ultimately take responsibility for cybersecurity. When online security is compartmentalised, or delegated as a risk to IT, this can lead to a disconnect between the Board’s understanding of cybersecurity issues in business terms, and IT’s reporting in more technical terms.
With early Board understanding of the company’s cybersecurity risk exposure, the threat can be calculated before it is too late.
Finally, for many PE firms, improving investor and partner awareness would help mitigate cybersecurity risks for better governance.
The end goal is to build an ongoing view of how the company can maintain and grow its cybersecurity posture. Investors and partners need to be aware of potential security incidents that could occur and lead to value erosion.
Cybersecurity should not just be about mitigating specific risks as issues constantly evolve. Instead, it should be about having a reviewed plan and process for managing such threats as the business grows and evolves over time.
Our aim in a transaction context is to identify value erosion or risk pre-deal, preserve equity value post-deal during the hold period, and maximise value as you approach exit.
It’s not only the direct revenue, intellectual property and equity value we try to protect, but also more importantly the reputational value of the business.
Faizul Ali, Lead Partner, Cybersecurity – Transaction Advisory Services, EY
‘‘12 13
Setting Board performance measuresA misstep or data breach has the potential to seriously damage the value or brand of a portfolio business, with investors having every right to be concerned: almost all of the PE firms in this survey say they now feel pressure from limited partners to include cybersecurity risk assessments across their portfolios.
However, many Boards are struggling to confront this challenge. Lack of knowledge is leading to low levels of reporting and measurement. Currently, over three quarters of surveyed PE firms do not feel their management team can quantify their cybersecurity risk exposure, and while 34% say their management teams had received three to four reports on cybersecurity in the last 12 months, 22% had not received any reports at all. Furthermore, only 16% are very
PE firms are buying businesses with the potential for growth. However, the inability to show a compliant and strong cybersecurity approach to investors, can prevent and reverse any growth efforts. Investors need their Boards and management teams to report on the risks they are taking on to make an informed decision about what level of risk is acceptable.
Faizul Ali, Lead Partner, Cybersecurity – Transaction Advisory Services, EY
confident that their management teams have access to the right metrics around cybersecurity.
PE Boards need more effective reporting around how their portfolio companies are tackling and preventing security threats, as without the right performance measures, investors are likely to look elsewhere.
Of PE firms feel pressure from limited partners to include cybersecurity risk assessments across their portfolio
96%
Of management teams had received no cybersecurity reports in the last 12 months
Of PE firms do not feel their asset management team can quantify their cybersecurity risk exposure
Are very confident management has access to the right metrics around cybersecurity
16%22%
76%
Only
‘‘
14 15
Making cybersecurity risk management culturalWhilst PE firms have increasingly been turning to technology to control risks and costs, cybersecurity is as much a people risk as it is a technology one.
The key is to find the right balance and to think laterally not just about the systems that protect corporate IP and data, but also the individuals at every level of the corporate structure.
Embedding a culture of cybersecurity awareness is one which should cascade from investors, Boards and executives through to operations so that everyone takes responsibility for cybersecurity.
Currently, 64% of the surveyed PE firms do not have a platform to share best practice across their portfolio companies. Throughout the whole organisation, all levels should be aware of the processes to protect key assets and respond to potential threats.
Portfolio controllers face difficulties when trying to understand the cybersecurity posture status from their assets. Receiving a consistent risk reporting structure from across the portfolio can be challenging, especially for those who control minority stakes and struggle to influence Boards to pro-actively embed a security culture.
Paul Harragan, Director, Cybersecurity – Transaction Advisory Services, EY
What are your key challenges in carrying out cyber diligence?
Being able to identify key digital assets that underpin the deal and the target’s value
Lack of knowledge in-house or via approved suppliers to conduct cyber diligence
Being able to identify the cyber risks to operational continuity and therefore risk valuations
Having the right tools in place to support cyber deal diligence
Understanding what data and regulatory controls are required for the target
Understanding which companies to perform cyber diligence on
46%
38%
34%
30%
30%
22%
64% Of surveyed PE firms do not have a platform to share best practice across their portfolio companies.
‘‘
16 17
What potential value do you believe could be created by improving cybersecurity across your investment portfolio?
What proportion of your deal value could potentially be affected as a result of a security breach?
Increased operational efficiencies
Above 25%
Increased value of the portfolio
Between 16%-25%
Increased market reach
Below 15%
Increased funding
Unsure
Reduced risk of reputational damage via breaches to portfolio business
We don’t believe there is potential value in improving cybersecurity across our portfolio
58%
20%
44%
52%
38%
8%
32%
20%
22%
2%
Of all PE firms feel that investing in a company with robust cybersecurity is important when making investment decisions.
Of all PE firms said that investing in cybersecurity is a means to drive competitive advantages across their portfolio.
76%
74%
Driving competitive advantages
While some PE firms have work to do to mature their cybersecurity, they recognise the value of doing so. More than three-quarters of respondents believe that investing in a company with robust cybersecurity should be an important consideration in their decision making. A similar number believe that investing in cybersecurity can help drive competitive advantages.
To secure such competitive advantages, 50% are willing to invest between 2% and 5% of deal value to reduce their cybersecurity risk exposure. This is due to more than half (52%) believing that 16% to 25% of deal value could be affected as a result of a security or data breach.
Calculating the impact of a data breach doesn’t just cover the cost of recovery, there is also the added cost of a diminished brand, investor trust, customer loyalty and in some cases fines from the regulators.
Legal teams and regulators will look for negligence. However, if you can evidence investment and demonstrate the use of security best practice, costly problems can be avoided.
For portfolio controllers, cybersecurity is increasingly seen as a new measure of value. If not managed properly, it will erode a company’s value over time and if managed effectively, can be prosperous.Paul Harragan, Director, Cybersecurity – Transaction Advisory Services, EY
“
50% of PE firms are willing to invest 2-5% of deal value to reduce their cybersecurity risk exposure
18 19
Actions for improvement
ConclusionPE firms are increasingly making progress in evolving their cybersecurity to a level of maturity where it can enhance portfolio value. Key findings and trends can be seen across the sector.
Size is playing a part in cybersecurity maturity. Larger PE firms are making greater investments into cybersecurity than their smaller counterparts. They have assigned more management responsibility recognising the risks to asset value across their portfolios.
Cybersecurity matters at every stage of the deal cycle. The majority of PE firms now take cybersecurity into account when conducting due diligence on a potential portfolio business, but too few focus on cybersecurity post-deal, or in exit preparations. A holistic approach is needed as part of pre-deal, on-going portfolio reviews and at exit readiness stage.
Accountability is crucial to mitigate cybersecurity risks. The surveyed PE firms recognised three key factors in mitigating cybersecurity risk: make cybersecurity a strategic priority; identify a person with overall responsibility for security; and increase partner awareness.
In order to advance such efforts, businesses should look to set and
measure their security posture against wider business goals with assigned Board responsibility. This will allow the whole organisation to confront cybersecurity as a strategic business concern, and not just as an operational IT issue.
Cybersecurity needs a constant reporting view. The majority of the surveyed PE firms are struggling with effective reporting around cybersecurity. Management teams are not able to quantify security risk exposure, lack access to the right metrics or have received few or no reports around their security posture in the last 12 months. More effective and regular measures are required. This will help to provide a constant view of cybersecurity alongside business risks, to inspire greater levels of confidence to investors, and for best practice to be shared across portfolio companies.
A strong culture will ensure good practice cascades through the organisation. The sector has increasingly turned to technology to control costs and risks.
The human factor, however, still presents a high risk from either lacking in-house expertise or from not properly reviewing cybersecurity risks from suppliers. Clear reporting structures, processes and procedures need to be established from top to bottom so that every part of a business can strive for better risk management. With the breadth and diversity of PE firms’ businesses, leveraging the skills and knowledge held across portfolio companies, can also build a culture of good cybersecurity practice that can be applied across the whole portfolio.
Cybersecurity as a measure of value. The majority of the surveyed PE firms recognise that cybersecurity is playing an increasingly important part in their investment decisions. Limited partners are demanding more risk assessments which places greater focus on evidence of good cybersecurity. The ability to demonstrate effective measures to protect and not erode investment value is helping foster stronger competitive advantages.
As the UK PE sector continues to brace itself for rapid regulatory changes, technological threats and a disruptive future, more transformative approaches will be needed to protect value for investors and customers.
By identifying new strategic advantages such as integrating robust cybersecurity practices into successful investment strategies, this can provide the competitive edge that separates a deal maker from a deal breaker.
20 21
This report is based on a survey of 50 UK-based private equity general partners with assets under management (AUM) of at least £500mn. The survey included 13 large cap firms (with AUM over $20bn), 16 mid cap firms (with AUM between $5-$20bn) and 21 small cap firms (with AUM under $5bn).
The research was commissioned by EY with FTRemark and was conducted between January and March 2019.
Respondents by market size
Large cap firms (AUM over $20bn)
Mid cap firms (AUM between $5-$20bn)
Small cap firms (AUM under $5bn)
26%
32%
42%
Respondents by job roles
Investment Director
Managing Director
Managing Partner
Operating Partner
Chief Investment Officer
Chief Executive Officer and Founder
30%
28%
28%
8%
4%
2%
Survey methodology
22 23
Contact us
Faizul AliPartnerCybersecurity, Transaction [email protected]
Paul HarraganDirectorCybersecurity, Transaction [email protected]
24
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. For more information about our organization, please visit ey.com.
Ernst & Young LLPThe UK firm Ernst & Young LLP is a limited liability partnershipregistered in England and Wales with registered number OC300001and is a member firm of Ernst & Young Global Limited.
Ernst & Young LLP, 1 More London Place, London, SE1 2AF.© 2019 Ernst & Young LLP. Published in the UK.All Rights Reserved.
EY Cybersecurity reports.indd (UK) 09/19. Artwork by Living Group.
ED None
In line with EY’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.
Information in this publica tion is intended to provide only a general outline of the subjects covered.
It should neither be regarded as comprehensive nor sufficient for making decisions, nor should it
be used in place of professional advice. Ernst & Young LLP accepts no responsibility for any loss
arising from any action taken or not taken by anyone using this material.
ey.com/uk
