Sequoia Capital and KKR have both been victims of cyber criminals in recent years. Institutions aren’t the only ones at risk – investors have been targeted too.
A report by Coller Capital found that 10 percent of limited partners (LPs) had been the victim of a cybercrime between 2016 and 2021. The report also found that the number of investors impacted had doubled since 2017 and that roughly 67 percent of LPs expect an attack in the next five years.
Private equity continues to be a prime target for cybercriminals. As a result, investors and firms have raised their defense budgets. KKR appointed a global head of cybersecurity to bolster its defenses. Meanwhile, Tailwind Capital has implemented a strict checklist of cyber defenses, including a multi-factor authentication, network security, and an incident-response team for potential portfolio investments.
“if you’re a private equity firm, and you have a portfolio of companies, and you are rumored to be acquiring a small company or a midsize company that may or may not have a sophisticated cyber infrastructure to prevent attacks, then that company could be a conduit to the larger portfolio held by the private equity firm,” says Amy Gross, the leader of the private equity and mergers & acquisition division at insurance giant Liberty Mutual. “And that’s why cyber is such an important discussion.”
Gross’ team provides insurance services to more than 2,000 private equity firms across the globe. In recent years, she has seen an uptick in demand for cybersecurity insurance, although the need for such coverage is still under appreciated across the industry.
“The surprising factor is that, while insurance can be an important way to strengthen the performance of [a PE firm’s] portfolio company, not a lot of private equity firms have dedicated risk managers,” she says. “Most companies in the auto or healthcare sector have a staff of risk managers that are dedicated to a focus ton protecting that company through reinsurance. And that seems to not be as robust or as widespread in the private equity area as it is in other industries.”
However, the rising risk of a cyber attack and the growing costs of protection against these attacks has caught the industry’s attention. According to the U.S. Government Accountability Office, some insurers have reduced their limits for cyber coverage, raised premiums, and added exclusions for things like cyberattacks that are acts of war by a nation-state. The rising cost of cybersecurity insurance is pushing some PE firms to consider consolidating coverage.
“Over the past three years, I’ve seen more and more firms start to look at this and say, wait a minute, our insurance through each portfolio company is very expensive. Are we sure our portfolio companies are buying the right insurance, enough insurance and are protected?,” says Gross. “[However], there are still firms out there that are not even thinking about insurance. They just let the portfolio companies do what they want. And there are risks to that.”