As breaches and compliance violations increase in the headlines, private equity firms have a growing need to assess the cybersecurity of their portfolio companies to identify the risks and gaps in compliance. Performing full security risk assessments on each company can be both prohibitively expensive and time consuming, however. To help PE firms fill meet this demand, Agio created a Portfolio Company Cybersecurity Risk Program that evaluates all current portfolio companies as well as buyout funds. We provide a prioritized action plan resulting from a DDQ assessment based around the NIST CSF and an external vulnerability scan of all publicly accessible systems.
After performing these assessments for several years, I see the same risks show up again and again. The list is long, but almost all of the high-level risks can be mitigated. Here are the top three:
Assumed Compliance Without Assessment
Portfolio companies that take card payments very likely fall under the requirements of the Payment Card Industry Data Security Standard (PCI DSS). Time after time when reviewing the cybersecurity of portfolio companies that are retailers or chain restaurants, I find contradictory statements about their PCI compliance. The younger the company, the more frequently this is the case. Many will state they are not subject to PCI because a third party hosts their e-commerce site or because their POS system is PCI compliant. Many will state they are PCI compliant, but also state they have never completed a PCI Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC), which are the only two ways PCI compliance is assessed for merchants. This is like someone saying they are healthy, and never going to the doctor, taking their blood pressure, or tracking other health data. Some companies state they are compliant and have an SAQ, but then state they have never performed a penetration test, never trained employees in cybersecurity, never performed a risk assessment, or have no formal role assigned to oversee information security, which are all PCI requirements for most merchants.
When I sit down with the private equity firm’s Risk Officer to discuss the discrepancies with the portfolio company leadership, it generally reveals a lack of understanding of what the PCI requirements really are. Without having performed a proper PCI assessment with the help of someone who understands PCI, like a PCI Qualified Security Assessor (QSA), the companies are in the same boat as the person who never visits a doctor. They assume they are in good shape, but may not know until they get checked out or have a major event that proves otherwise. In all of these cases, the greatest risk is not knowing. We see the same risks for other compliance frameworks, especially GDPR. This lack of assessed compliance puts customer data, the portfolio company, and the PE firm at significant risk.
Where’s the Data?
“We don’t maintain any sensitive data,” said one retailer that used a third party for payment processing. “No one at our company has any access to card data.” They also listed three marketing firms in their lists of vendors and had consumer data on nearly one million individuals. I’ve never come across a successful retailer or restaurant chain that did not maintain customer data to understand their markets and help grow their business. This data is usually shared with three or more outside agencies as well as internal marketing. Very rarely do these companies have a data map documenting the specifics of what data is where and who has permissions to view or alter it. Often, there is a myopia among companies when it comes to types of sensitive data. Retailers focus on payment card data. Customer data gets more attention than employee data, but only after they have addressed the risks to cardholder data. Only companies who have done the work to know all the data they have, what systems store and process it, and have strong procedures around granting access to it and the ability to detect unauthorized access, can understand and reduce the risk of unauthorized access to sensitive data.
Growth Now. Security Later.
“We’re a startup. We are focusing on growth. We run lean and don’t have the people or money to spend on security now. We’ll deal with that at the next phase of the business.” I’ve heard this from a lot of companies. Growth should be the focus of a startup, but the idea that cybersecurity costs too much to consider from the start or early on, or that it will be easier to implement later, are demonstrably wrong. There are dozens of practices that can be put in place now to give the company a solid, secure structure for growth. These include a basic set of information security policies, multi-factor authentication for all externally accessible systems, data classification and data maps, and security awareness training for all relevant personnel. All of these basic security controls and more advanced security—such as network segmentation—can be implemented without impeding growth to establish a security-driven culture.
Managing & Reducing the Risks
A critical component of Agio’s cybersecurity assessment on a portfolio company is a corrective action plan (CAP). The CAP provides a prioritized matrix of the identified risks and specific actions to take to mitigate them. Often, a PE firm will work with Agio to advise the portfolio company on next steps or recommend specific Agio services, like a PCI DSS Gap Analysis or Cybersecurity 360° Program, that can provide a more comprehensive and longer-term solution. If the cybersecurity of your portfolio companies is an unknown risk to your firm or you do not yet have a plan to manage the known risks, Agio can help.