Cybersecurity has become a critical concern for Private Equity (PE) firms. With frequent deal announcements, a vast amount of sensitive data and readily available capital, they can be seen as attractive targets for cybercriminals. PE firms need to monitor both their own cybersecurity and that of their portfolio companies. The repercussions of a cyber incident can be severe, impacting both immediate financial stability and long-term investor confidence.
Unlike corporate M&A, where the entity is onboarded and IT systems are subsequently integrated, PE firms do not typically integrate systems with their portfolio companies. The cyber risk remains within individual portfolio companies, yet the PE firm remains exposed to legal liabilities, costs and reputational damage for the duration of the investment cycle.
Cyber incidents can impact investments in various ways at all stages of the investment lifecycle, whether pre-acquisition, during the hold period or at the point of exit:
After identifying a target, if the cybersecurity is not appropriately assessed during the due diligence, vulnerabilities may not be identified, and the deal value can be overestimated. WTW has seen cyber-attacks incurred by target companies even during a transaction process and in such instances being able to quantify the potential exposure is critical from a valuation perspective.
01
The costs of a cyber incident can be considerable; including legal fees, public relations, credit monitoring, call centres and IT forensic support. A cyber incident can have long-lasting consequences - there may be a business interruption impact resulting in a loss of revenue and increased operating costs. Our 2024 Cyber Claims Analysis report, details a significant loss from a malicious data breach handled by our claims team. The loss required engagement with various vendors and specialists and totalled USD 300m.
02
With the evolving data protection and cyber security regulatory environment, there will be a requirement for Private Equity firms to ensure their portfolio companies comply with relevant regulations. Portfolio companies will need to adhere to the requirements of GDPR (or the local equivalent thereof) or the recently adopted EU NIS-2 directive for portfolio companies that fall within scope. If there are regulatory breaches, companies may also be subject to penalties.
03
It is common for companies to suffer reputational damage following a cyber incident. If there has been a breach of customer data, this can impact customer loyalty and trust. This reputational damage could go further than one portfolio company and could affect the private equity firm by impacting investor confidence at fund level and even future fundraising.
A robust and mature cyber posture within a company can mean it is perceived as more resilient and capable of long-term growth which can increase market value at the time of exit. Conversely, portfolio companies with inadequate cybersecurity measures are less attractive to potential buyers and often seen as higher risk, this may result in fewer interested bidders and a greater challenge in obtaining the maximum valuation.
A W&I insurance policy is typically purchased to protect buyers and / or sellers from financial losses arising from breaches of warranties and indemnities in the sale agreement. These sale agreements often include warranties related to cyber risks. Historically, W&I insurers were reluctant to cover cyber risks, often including a general cyber exclusion. However, insurers are now more willing to provide coverage, subject to appropriate due diligence and sufficient operational cyber insurance being in place at portfolio company level.
While W&I insurance can offer some protection against cyber risks, it is not a substitute for cyber insurance at the portfolio company itself. W&I insurers typically look to sit in excess of the target’s specific cyber insurance policy, ensuring comprehensive coverage.
PE firms have two key options for cyber insurance:
Each portfolio company purchases its own insurance policy, tailored to its specific needs. These policies typically cover data breaches, ransomware attacks, incident response costs, and business interruption due to cyber incidents.
01
Comprehensive assessments of target companies to understand their cyber maturity will assist with negotiations and avoid deal delays.
02
Addressing the unique cyber maturity and IT posture at each portfolio company is crucial to protect and maximise the investment value. However, viewing the portfolio holistically rather than as individual investments can deliver benefits such as:
03
PE firms remain exposed during the hold period, ensure you respond to any new IT vulnerabilities, cyber threats or regulations.
At WTW we understand Private Equity and Cyber Risks. By integrating WTW’s expertise in the Private Equity practice – spanning cyber due diligence, cyber risk consultancy, portfolio management and tailored insurance solutions - PE firms can mitigate risks, maximise exit valuations and protect investor confidence. Please contact us to find out more.
