Estimated Reading Time: 11 minutes
Private Equity’s Decade of Growth
Over the last 10 years, the private equity market has seen tremendous growth. According to Preqin, private equity assets under management (AUM) have grown from $2.37 trillion in 2010 to $4.56 trillion in 2020. This represents a 92% increase in AUM, or an average growth rate of 8.2% per year. Additionally, private equity fundraising over the past 10 years has seen a compound annual growth rate of 8.8%. In 2020, private equity fundraising reached a record high of $895 billion.
The private equity market has grown significantly over the last three years. In 2017, global private equity fundraising reached $452 billion, and the number of closed deals (buyouts and venture capital investments) reached 8,496. In 2018, global private equity fundraising reached a record high of $583 billion, and the number of closed deals reached 8,914. In 2019, private equity fundraising increased even further, reaching $631 billion, and the number of closed deals reached 9,098.
In fact, PE deals set records in 2021, with over $1.2 trillion in 8,624 deals, while 2022 was only modestly off that mark with $730 billion in deals. According to PwC, there is about $1.1 trillion of investable capital (dry powder) sitting within the PE firms heading into 2023.
By all accounts, 2023 is poised to surpass 2022 with PE activity, and perhaps even approach the record-setting 2021 levels. The primary difference this year is the higher scrutiny the regulators are putting on ensuring proper risk mitigation strategies are in place at both the PE firm and the portfolio companies.
A Word to the Venture Capital Firms
While most of this piece is targeted at PE firms, VCs would be wise to leverage many of these similar topics when evaluating investments. While the PE/VC business model is different, many of the risks identified below could directly impact your future investment – especially the Regulatory and Compliance topics – the ones FTX blatantly ignored.
The Private Equity Technology Approach
Generally, most PE firms look for a 5-7 year turnaround (sale or IPO) of the asset within the portfolio. Unlike most Mergers and Acquisitions (M&A) initiatives, PE firms do not necessarily focus on technology integration as a long-term source of cost reduction. In fact, most PE acquisitions leave the acquired company untouched from a business technology perspective in order to efficiently dispose of it when the timing is right. There are no costly system & network integrations and database consolidations at the time of acquisition; or worse – the headaches of decoupling systems and data for a timely sale. No, today’s PE firm is the definition of a modern-day holding company, which brings its own unique risks and control challenges with it.
While there are many variations of risks and technology that need to be evaluated as part of any deal, the five items I’ve highlighted below are targeted to highlight the minimum set of technology and security management practices that should exist in any portfolio company.
Five Key Risks To Consider
Regulatory
According to the 2022 Exam Priorities report, the Securities and Exchange Commissions Division of Examinations (formerly OCIEE) highlighted ‘Private Funds’ as their first priority, with ESG, Compliance, Information Security, and Emerging Technology as their Top-5 examination focus areas. As detailed within the report, there is in excess of $18 trillion of investments in private funds, making it no surprise that the SEC is scrutinizing the soundness of such investments. Finally, with the recently proposed changes to Title 17 (1,2), there is no evidence that their focus will change in 2023.
Considering that, as a general direction, PE firms are now going to be under greater scrutiny, we also have to acknowledge that one of the fundamental baselines of these examinations is the existence of a strong and well-executed Regulatory & Compliance (R&C) function within the firm.
The R&C function should be the leading internal reporting function for tracking and reporting on fraud and corruption and will be a major factor in how the SEC perceives the firm’s approach to risk management. A strong R&C function alludes to a deep understanding of the organization’s risk tolerance, whereas a weak or non-existent is typically looked at as highly suspect, and calls into question the firm’s risk management process.
In general, the R&C function should oversee, when applicable, the following areas:
- Compliance with regulatory mandates such as Sarbanes-Oxley (SOX) or Foreign Corrupt Practices Act (FCPA).
- Effective implementation of technology controls
- Anti-money laundering (AML) and Know Your Customer (KYC) requirements
- Alignment with stated Environment, Social, and Governance (ESG) goals and initiatives (3)
- Technology-centric reporting (incident management, breach notification, etc) and industry initiatives such as the Payment Card Industry (PCI) security requirements
- Governmental lobbying activities
- Corporate policy publication
It is also critical to understand that the R&C function should exist at the portfolio level as well. Perhaps a shared function at the firm level would be sufficient. Still, a dedicated effort to ensure that all portfolio companies align with the firm’s R&C direction cannot be overlooked. This is especially critical when portfolio companies operate in different jurisdictions. Regulatory, Compliance, and Legal requirements vary country by country, and having the ability to demonstrate the firm’s understanding of that complexity goes a long way in proving a competent R&C program is in place.
A final thought. Should the potential portfolio company be in the emerging tech space (crypto-currency, FinTech, HealthTech, etc), there is an increasing chance that the regulators will be far more involved than typical ‘legacy’ technology acquisitions. For example, the FTC recently enacted the ‘Safeguards Rule‘ specifically to address those emerging finance companies that fall outside of what the FTC historically labeled financials. With the all-too-frequent collapse of many crypto exchanges as well as the newfound scrutiny that the FinTech space is under, it would be wise to almost presume some type of regulatory involvement, rather than expect to be left alone.
Under the current level of scrutiny by regulatory officials, prudence would dictate following a generally accepted standard to measure R&C levels throughout the firm and its asset portfolio. The most widely adopted standard for such functions is published by the International Standards Organization (ISO) as the ISO 37000:2021 Governance of organizations series of controls. This document, and its supporting publications, can provide insight into where any compliance gaps exist prior to asset acquisition as well as assist the firm in developing a longer-term strategy to ensure compliance.
Cybersecurity
From a PE perspective, cybersecurity has an interesting dynamic about it. Almost by definition, each portfolio company will have its own regulatory and security posture – even if they reside in similar industries. This is the main reason that the R&C and security teams need to be so closely aligned.
While there are many standards and checklists available to evaluate the robustness of a security program, one must lean towards something that is not only complete but also one that is relied upon and trusted by the regulators. Additionally, the ability of the PE firm to be able to measure and track progress against a standard baseline is a critical risk management function. Enter the NIST Cybersecurity Framework (CSF).
The NIST CSF is relied upon by most regulators as a way to measure the baseline functionality of an enterprise security program. Unfortunately, most portfolio companies have neither the need nor the resources to implement such an in-depth program. In fact, the most common company I’ve heard about the CSF is its inability to be effectively implemented in small and medium-sized businesses, which is where most portfolio companies fall.
However, all is not lost.
In September 2022, Fitch Ratings released a report on the state of the cyber insurance industry and, how most carriers look for a few common practices when evaluating risk for a policy. Based on that report, I was able to correlate the Top-10 items of the Fitch report to the NIST CSF standard, basically providing a roadmap of minimal requirements for organizations to address. The article, in combination with my CSF tool, provides a baseline assessment for a PE firm when it comes to identifying cyber risk within a current or potential portfolio company.
The table below identifies the Top-10 areas that Fitch identified along with their NIST CSF categories.
| Key Cyber Insurance Carrier Policy Requirements* | NIST CSF Reference | Good Practice (GP) / Best Practice (BP) |
|---|---|---|
| Use of multifactor authentication (MFA) | PR.AC-7 | GP: All critical devices, remote access & SaaS access is protected by MFA. – – – BP: All user access, regardless of origin or destination, is protected by MFA. |
| IT Security strength and vulnerabilities | ID.RA DE.CM-8 | GP: Vulnerability scans are performed with ‘best effort’ mitigation. – – – BP: Vulnerabilities are evaluated based on internal risk assessments, and mitigation is prioritized and within expected timelines. |
| Employee training on phishing and other cyber attacks | PR.AT | GP: Users are trained on general phishing/cyber attacks annually. – – – BP: Customized quarterly training based on job function. |
| Strength of password requirements | PR.AC | GP: Common password requirements across all users. – – – BP: Risk-based password requirements customized based on the sensitivity of data being accessed or the criticality of services being supplied. |
| Third-party vendor exposure management | ID.SC | GP: Standard cybersecurity clauses included in contracts. – – – BP: Full inventory of third-party assets within the infrastructure. User access is managed similarly to employee access. Compliance & technical audits are performed annually. |
| Regulatory reporting obligations | ID.GV-3 | GP: Legal reporting has been formalized by policies and approved by executive management. – – – BP: Privacy, Regulatory, and Law Enforcement notification and reporting have been defined and are included as part of Incident Response tabletop exercises. |
| Quality of incident response plan | RS.RP PR.IP-9 PR.IP-10 | GP: Incident Response and Business Continuity plans are in place and reviewed/tested annually. – – – BP: Incident Response and Business Continuity plans are in place with formal semi-annual tabletop exercises for all functions. |
| Implement endpoint detection and response (EDR) | DE.CM-3 DE.CM-4 | GP: Endpoint detection solutions are installed on all user devices, with regular updates. – – – BP: Endpoint detection solutions are installed on all user and infrastructure devices, with regular updates, with centralized event/incident reporting to the Security Operations Center. |
| Creation of system backups | PR.IP-4 | GP: Backups are performed daily, validated, and tested annually. – – – BP: Backups are performed consistently, recovery is tested semi-annually, and systems can be returned to an operational state within an acceptable RTO timeframe. |
| Penetration testing results and remediation success details | ID.RA-1 PR.IP-7 PR.IP-12 | GP: Annual third-party penetration test against external-facing infrastructure. – – – BP: Continual penetration testing of all internal & external environments. Results fed into the development lifecycle and risk assessment process. Vulnerabilities resolved prior to production deployment. |
* – As defined by the Fitch report
Supply Chain & Third-Party Risk
As PE firms grow and acquire more assets, the overall supply chain risk grows near-exponentially. As I previously highlighted, most PE firms leave the structure of the portfolio company as-is, with an expectation that it will be easier to dispose of in the future. The downside of that approach is the almost exponential growth of third-party suppliers as the firm acquires more portfolio companies.
Over the last several years, the level of risk, and more accurately, the number of breaches, has substantially increased as a direct result of third-party and supply chain mismanagement. As such, President Biden signed Executive Order 14028, Improving the Nation’s Cybersecurity(4,5), on May 12, 2021.
As a result of the Executive Order, NIST has released a framework focused on managing and mitigating software security within the supply chain. The Secure Software Development Framework (SSDF) provides an understanding of third-party and supply-chain software risks and provides baselines as to how organizations should manage them.
From a firm perspective, there are two distinct ways the SSDF can impact you.
- As a third-party Consumer: If your company is a consumer of third-party services, then you should be looking at the SSDF as a way for your software providers to ensure they are developing code appropriately. They should be able to answer the majority of the questions in the SSDF so that you could honestly provide such feedback to an auditor or regulator should you be asked. Additionally, the provider should be able to provide you with a current Software Bill of Material (SBOM) report for every release.
- As a third-party Provider: If your portfolio company develops solutions (software platforms, API services, etc) that will be sold to other third parties, then the SSDF should be evaluated in light of how the company develops and maintains its software. Fundamentally, you need to be able to quantify and positively answer the 42 questions contained within the SSDF from the viewpoint of the company purchasing your solution.
Privacy
When organizations consider consumer privacy expectations, the gold standard is the European Union General Data Protection Regulation (GDPR). Not only is GDPR one of the most prescriptive pieces of privacy legislation in any jurisdiction, but it is also arguably the single most enforced piece of legislation around the world. In a recent example, Meta, the Facebook parent company, was fined over 390 million euros in January 2023 for deceptive practices around its consumer privacy tactics. In fact, many countries outside of the EU have copied the requirements virtually word-for-word for their own local legislation.
Thanks, in part, to the lack of a comprehensive federal privacy statute, the privacy landscape in the US is confusing at best. Without question, the most onerous and restrictive US law is California’s California Consumer Privacy Act (CCPA), which does specifically call out PE firms and their responsibility to ensure any consumers within their holding companies are protected. The CCPA has a broad scope and regardless of where the firm or acquiring company resides, if they maintain data on California-based consumers or patients, they fall under the guise of the CCPA.
Oftentimes, a company will pass off privacy issues as a legal matter to be negotiated as part of a wider contract, attempting to put the responsibility on a third party. Unfortunately, the regulations have all compensated for this and make it very clear that, while you can outsource and manage the processing of private data, you can not outsource your responsibility of keeping that data secure.
It is important for a PE firm to have clear insight into the risk around the lack of privacy controls of an acquisition prior to the deal closing. By performing a generally accepted privacy assessment, the PE firm will have a better understanding of a potential privacy-impacting event. The NIST Privacy Framework provides a comprehensive view into how companies manage and protect their client, consumer, and patient data. Performing such an assessment pre-acquisition can assist the firm in understanding not on;y the potential privacy risk being assumed after the deal close, but can shed light on management’s overall consideration and approach to consumer privacy.
Crisis Management
Perhaps it is a bit apropos that Crisis Management is the last topic, as it is one of the most important, and arguably, most overlooked, practices any organization can have. One only needs to look at all of the recent press surrounding the Uber breach over the last few months to get a clear understanding of how bad a situation can get without a solid Crisis Management program. In fact, in a 2021 survey, over 95% of respondents told PwC that their Crisis Management program needs improvement.
Whether it is a security incident, a consumer trust issue, or a regulatory findings disclosure, the organization’s ability to manage the crisis in an effective, succinct, and lawful manner is paramount. When developing a crisis management program, there are several key areas that must be addressed in order to mitigate damage to the firm caused by an issue at a portfolio company. Some of these are:
- Technology Failures: security breaches, service outages
- Consumer Issues: reputation concerns, product recalls, supply chain issues
- Environmental Catastrophes: Natural disasters, pollution discharges
- Geo-political Threats: Government turmoil, labor strikes
- Social Issues: Social media leak/breach, negative publicity
- Legal Concerns: Regulatory findings, lawsuits, internal fraud/money laundering
While the basics of crisis management are evaluated as part of the NIST CSF we previously discussed, the CSF assessment is highly focused on technology and security risks while missing many of the business-centric, environmental, or non-technical risks companies face. Thankfully, we can once again point towards a widely accepted standard by which we can measure the maturity of your Crisis Management program. The ISO has recently published guidance for companies on how to develop a formal crisis management program, ISO 22361:2022 – Security and resilience — Crisis management.
Closing Thoughts
While, at first blush, this may seem like a substantial undertaking for many firms, when designed and executed correctly, the costs to perform a comprehensive assessment will be a basis point or two of the entire deal cost. According to Bain, PE acquisitions averaged $1 billion in 2022, so what’s a couple of basis points versus the average cost of $10 million to recover from a security breach or to avoid the reputational problems caused by another FTX.
Some final remarks:
- As part of the pre-acquisition strategy, the acquiring PE firm should perform a high-level assessment of these functional areas to ensure the acquisition target satisfies the expected minimum the PE firm is looking for.
- Assessment results should be aimed at providing the PE firm with an understanding of what additional risk would be taken on as an adjunct to the standard business risk assessments.
- When possible, leveraging existing risk frameworks is highly beneficial, especially for those with a history of being viewed positively by regulatory agencies. I have also developed a popular tool for doing NIST assessments, which can be found here.
- Consideration should be given to having these assessments performed by an independent third party to ensure the results are unbiased and provide long-term evidence in the event of future reviews by the SEC.
- Many of these topics overlap each other, and that’s a good thing. A solid Crisis management program is built upon a strong Cybersecurity and Compliance program, just as they both have different Third-Party risk concerns. Successful programs work in concert with one another.
This article was based on NIST Cybersecurity Framework v1.1. As of this writing, version 2.0 is being drafted and reviewed. Category names/numbers will likely change subsequently.
Copyright © 2002-2024 John Masserini. All rights reserved.