Lessons learned in cybersecurity
When strategic planning with our portfolio companies, there is always a temptation to focus on questions related to offense: where are we going, what new initiatives are we prioritizing, what new geographies are we moving into, and what hires are we making? After all, these growth-oriented goals tend to be the most interesting strategic conversations to have. What we also make sure our companies are addressing are the things related to defense: what are our potential downside risks and how do we proactively address them now to mitigate possible negative effects? As we’ve chatted over the last 12 months, cybersecurity has been increasingly addressed in these discussions.
Just a few years ago, cybersecurity was not on the radar for most middle-market companies. Ransomware attacks and phishing were known threats but occurrences were relatively rare, and the costs to mitigate were manageable. Unfortunately, over the last several years, both the frequency and severity of these malicious acts have increased substantially.
As a result, it is no longer Fortune 500 companies, or only companies which possess sensitive consumer information that need to take precautions against cyber risks. Across our portfolio we have seen multiple attempts at wire fraud, phishing scams, and ransomware attacks, and talking with other private equity firms and cyber insurance brokers confirms that this is a market-wide trend.
We’ve found that what was once a key layer of protection, a cyber security insurance policy, is now largely viewed as a fallback, last line of defense. After all, if you are making a cybersecurity claim you have already incurred losses from these types of attacks. Over the last several years, it’s clear that it’s far better to be proactive in our strategies around cyber security by engaging IT teams early and making sure they have C-Suite and Board of Director-level visibility with regular reporting.
We are now proactively investing in the systems, software, and people to help ensure we have best-in-class defenses in a constantly changing landscape. These efforts have changed across our portfolio from a “nice to have” to a “must have.” As just one small example, industry standard is now to perform IT diligence focusing on cyber security risks with any new private equity investment. This helps to inform us not just of potential red flags and risks in a potential investment, but to address what the go-forward needs are for the company to become a leader in reducing cybersecurity risks.
When we first began to explore the required investments around cyber security compliance, I was shocked at the costs for software, training, and systems to support these initiatives. Once we did the math on the cost of a potential outage of our systems due to a cyber-attack, these investments became more justified. How long could one our companies afford to be off-line before we started doing long-term damage, not just to our income statement, but to our customers and reputation? Viewed through this lens, the tough pill of IT investment and compliance costs become much more palatable.
The prime recent example (and there are many) of the damaging impact of ransomware attacks is seen in the Colonial Pipeline shutdown. Colonial operates 5,500 miles of pipeline transporting gasoline, diesel, jet fuel, and heating oil throughout the eastern seaboard of the US. While a short shutdown of pipelines, whether for routine maintenance or construction is normal and to be expected, the myriad of impacts to consumers and fuel-dependent industries who are customers of Colonial due to a prolonged outage can be dire. If a large, mission-critical infrastructure company such as Colonial is vulnerable to this type of exposure, it is easy to see how a smaller business could also be crippled by such attacks.
While it’s often tempting for our strategic initiatives to focus on growth and the potential for upside for our companies, cybersecurity is a strong example that downside protection and mitigation is equally critical to our companies’ long-term strategy. I suspect in the coming years, these cyber initiatives will continue to move from the back of investors’ and managers’ minds to the forefront of focus and concern as prominent examples continue to stress the importance and potential impact of the systematic shutdown of a company’s systems and operations.