Private Equity & Cyber Liability 2019: Topics from the PEI Forum

Private Equity International held its 16th annual CFO/COO Forum in New York City this past January. Woodruff Sawyer was proud to sponsor the event as over 600 attendees gathered to hear from industry leaders, meet with their PE peers, discuss recent and upcoming trends that affect the private equity community around the United States, and create strategies for improving the operations of the firms they represent.

Among the themes that arose throughout the panel and breakout discussions were those related to cyber security and the evolution of cyber-related risks faced by private equity firms. Together, the topics became a discussion point for talking about emerging PE challenges and solutions, trends in HR, outlook on the due diligence process, and critical trends affecting how the CFO/COO function continues to evolve.

Evolution of Cyber Compliance in the US and GDPR in the EU

Woodruff Sawyer has previously discussed the effects of both US cyber regulations and necessary compliance measures, as well as the effects of the recent implementation of General Data Protection Regulation in the EU (articles here and here). With GDPR now in full force in the EU, the private equity community is preparing for potential similar regulations in the United States. Most recently, California passed the California Consumer Protection Act (CCPA), which implements many of the same privacy and data management controls as GDPR. The CCPA goes into effect July 1, 2020 and has been held up as a potential model for other states to adopt. As GDPR has forced US-based companies with operations in the EU to enhance their controls, it's not unlikely that US firms will soon approach data management and privacy protection in the same ways domestically through an increasingly demanding patchwork of state laws or possible federal data protection legislation.

During the recent PEI conference, many private equity firms treated GDPR as the standard for care across both the funds and portfolio companies, especially because funds may have LPs based in the EU or portfolio companies with operations, and thus exposures to GDPR compliance, in the EU.

With the evolution of GDPR, private equity funds are having to re-evaluate how they think about cyber security and risk-mitigating mechanisms in place.

Three Cyber Risks to Private Equity Firms in 2019

As with most industries, private equity firms increasingly face significant cyber risks, and those risks continue to evolve on an almost daily basis. In addition to the fund itself, nearly all portfolio companies face cyber risk, and an incident can potentially significantly impact EBITDA, the underlying value of the company, thereby adding another layer of complexity to the mix. We've seen this in many M&A transactions, most notably the Verizon acquisition of Yahoo!. After disclosing two separate data breaches, the value of Yahoo! decreased over $300.0 million prior to the close of transaction.

Aside from the dynamics and risks involved during a portfolio company's transaction itself, PE firms are encountering new daily risks at the fund-level. In 2019, these are the core cyber exposures CFOs and COOs of PE firms face:

• Sensitive corporate information: Private equity firms have access to vast amounts of private corporate and/or confidential information for a number of companies, including current portfolio companies, current and ongoing transactions, and potential transactions. While the risk of exposing this information does not carry the same legal and regulatory implications that a breach of personally identifiable information might, there may be far greater contractual and reputational consequences of failing to protect access to this information. As an example, consider the impact of the infamous Panama Papers breach at the law firm Mossack Fonseca.
• Ransomware: Every industry is susceptible to it, but some have more to lose than others. In the fast-paced world of private equity, any time your network is taken hostage will cause trouble, let alone at deal time. With the recent trend of attackers varying their ransom demands, once they discover who they've actually attacked, private equity firms are likely to see increasing demands in a ransomware scenario. A typical exposure here would be an attack on an entire dataroom and refusing to allow access (or threatening dissemination of confidential data within the dataroom) unless the seller pays a ransom.
• Phishing attacks: These attacks are increasing in frequency as attackers look for a quick way to monetize the weakest part of any security network—Humans. Catch an employee on a bad day when they're in a rush and your entire network becomes a digital playground for an attacker to do damage. These attacks can lead to funds-transfer fraud, ransomware, loss of personally identifiable information, and much more. This can cause even more headaches when high-net-worth individuals such as GPs or LPs are targeted. A typical claim scenario would be: A CFO/COO receives a message seemingly from a deal team member's email address (or vice versa), including instructions for wiring money for an invoice. In reality, the sender is an impostor.

How are Private Equity Firms Tackling the New and Evolving Exposures?

The CFOs and COOs who attended the recent PEI Conference made several comments not only about how their roles are evolving in 2019 pertaining to cyber security, but also the new ways in which their firms are tackling the emerging exposures:

• Fund-Level Risk Assessment: Engage third parties to help understand and assess the cyber risks faced by the fund and currently compromised email addresses, etc., as well as identify the most common recent attack vectors targeting the PE industry.
• Penetration Testing: Utilize third party advisory firms that specialize in cyber security to identify vulnerabilities, validate current controls, and implement proactive measures to enhance their network security.
• Incident Response Planning: Prepare for a cyber incident by implementing an incident response plan and, importantly, testing the plan to make sure it works. These types of tabletop tests have become popular across many industries as data shows that an effective and timely response to a cyber incident reduces the ultimate impact of the event, from both a time and cost perspective.
• Outsourcing Data Hosting: Outsource data collection and storage—both at the fund management level and portfolio company level—which may contractually transfer the liability to a third party.
• Due Diligence: Increase due diligence efforts around cyber risk and cyber insurance for ongoing acquisitions—whether by the insurance due diligence provider or third-party cybersecurity firms.

Will a Private Equity Firm's General Partnership Liability Policy Respond to a Cyber Security Loss at the GP and/or Portfolio Company Level?

Woodruff Sawyer has previously discussed this topic here. Third party liability associated with a data breach or security incident may be covered by the E&O insurance agreement of the general partnership liability policy, but not due to an affirmative grant of coverage. The primary source of affirmative cyber coverage for private equity firms is a stand-alone cyber liability policy. A stand-alone cyber policy will provide coverage for the network security and privacy elements that should be the primary focus for private equity firms.

To be clear: A general partnership liability policy for the private equity firm typically will not respond to a cyber-security loss at the portfolio company level or vice versa. This is where it is absolutely critical for a PE firm to perform some level of cyber security due diligence and review the current insurance in place at the target level, including any cyber liability coverage, to make sure all of the potential exposures are properly addressed.

Cyber risk can carry a variety of consequences, which ultimately may impact many different insurance policies. It is imperative for private equity firms to undergo an assessment of all of the possible insurance policies that might respond to a cyber incident, as many policies remain silent on cyber risks or provide some element of affirmative coverage for very specific exposures––for example, funds transfer fraud, also known as "social engineering." In a typical scenario, a loss results from a business email compromise, and an employee of the fund (could be anyone from the GP, CFO, deal-term member, or administrative assistant, etc.) voluntarily wires money to a fraudulent third party by accident. This type of exposure is sometimes covered under a cyber liability policy, but could also be covered under a traditional commercial crime policy. Given the potential overlap, it is important to identify all potential policies that may respond to the fallout from a cyber-related event.

Final Thoughts

During the recent Private Equity International conference in New York, two things became abundantly clear to those in attendance:

• Cyber security risks and exposures continue to evolve and new threats are emerging on an almost daily basis in 2019.
• CFOs and COOs of private equity firms are growing more aware of not only the risks to their funds, but also their responsibility as stewards of the fund assets to protect those them from the ongoing and emerging threats.

As regulations like GDPR are rolled out in the EU, the United States has already passed the CCPA in California, with more potential legislation being passed at the state or federal level over the next 18–24 months. Even if no further regulations are enacted, many firms are looking to use the GDPR and CCPA as a new gold-standards for data protection. With this in mind, private equity firms and their portfolio companies need to be aware of cyber risks and exposures faced at the fund level and portfolio company level.

One final way in which the private equity community can can assess, prepare, mitigate, and combat cyber risk is by partnering with an expert insurance advisor at both the fund and portfolio-level. Woodruff Sawyer has such expertise.

An expert advisor can also help navigate the constantly changing cyber liability insurance marketplace and ensure both the private equity firm and portfolio company have state-of-the-art cyber insurance programs in place. Having a deep expertise in the space and long-standing relationships with all available insurers is critically important given myriad coverage options and enhancements available. Several insurers are already beginning to expand their coverage forms to enhance coverage related to GDPR, including potential fines and penalties related to compliance failure. We expect the broad marketplace to enhance their coverage forms in response to legislation like GDPR and CCPA. Having an advisor on the bench to help navigate the nuances of the coverage has been and will remain critical across the M&A spectrum in 2019 and beyond.

Co-authored by Luke Parsons, Dan Burke, and Steve Cross