How to avoid a private equity ‘techlash’

Ian Bagshaw and Tim Hickman, partners at law firm White & Case, outline the key cybersecurity risk management considerations for private equity firms.

Ian Bagshaw
Ian Bagshaw

The accelerated digital transition businesses are being forced to undergo will likely be one of the longer-lasting consequences of the covid-19 pandemic. As the private equity industry adapts its focus towards digital-enabled, investors in data-fuelled companies will need to make data and cybersecurity risk management a key pillar of their strategy.

Data-heavy businesses need to be keenly aware of data protection obligations that arise from legislation and regulation, yet many companies neglect to consider their legal exposure to other participators within the data chain. Failing to manage cybersecurity risk may lead to regulatory enforcement and claims under contract brought by third parties for not protecting their data assets. Private individuals who have had their data disclosed in a cyber breach may also seek compensation.

Tim Hickman
Tim Hickman

Data privacy and cybersecurity are critical considerations for any business that relies on the internet handshake model. This allows customers to access digital services free of charge and in return the company can harvest and monetise their data. It is implicit within this model that the company protects users’ data. A severe ‘techlash’ will be experienced if there is a failure to manage cybersecurity risk. Consumers are increasingly untrusting of firms with a poor data protection reputation.

“Operationally, the starting point is technical security”

The impacts of the ‘techlash’ will also be felt in seismic changes to the regulatory landscape. Rising cybersecurity risk brought on by accelerated digitisation may bring with it increased legislation and regulation. The private equity sector needs to understand that data protection has become a major regulatory focus and investors must adjust their investment thesis accordingly.

The upcoming cash crunch will inevitably divert management focus towards the short-term goals of survivability and profitability. However, underinvestment in cybersecurity and data protection will increase the damage a cybersecurity failure could have on the value of a business. The typical five-to-seven-year length of a private equity investment leaves sufficient time for a risk to come to fruition and reduce the value of an investment through regulatory sanction, liability to third parties and reputational damage.

A proactive approach

Businesses must manage cybersecurity risk from an operational and legal perspective. Operationally, the starting point is technical security. Companies must hire technically competent staff who can constantly monitor systems and have a strong voice in management to empower them to rectify any issues identified. The absence of a credible chief security officer will increasingly be viewed as a due diligence red flag.

Cybersecurity insurance, effective due diligence and contractual protections are key legal tools for managing risk. Firms seeking to rely upon insurance must understand its limitations; in particular, it is unlikely a policy would cover the quantum of any regulatory penalties. Firms must look to take preventative and not just curative actions.

Contractual protections are common in agreements governing data usage; however, firms need to examine the counterparty’s financial and operational abilities to meet their obligations. If a contract requires a counterparty to take certain risk management actions, audits and other tools should be used to monitor compliance.