India: Private Equity Firms Play A Key Role In Addressing Cybersecurity Risks

The pace at which cyber threats are evolving, and the associated regulatory requirements are presenting significant challenges to even the most operationally mature organizations to effectively manage the risks. Throughout 2021, there were alarming news reports concerning ransomware, wire fraud, "supply chain" attacks, as well as data theft. As we move forward, these headlines are expected to become even more widespread, as companies continue to expand their technological presence into the cloud and other digital platforms, thereby increasing their vulnerability to cyber-attacks. The ongoing impact of cybercrime is significant and cannot be underestimated. The projected cost of damages from cybercrime is anticipated to rise from $6 trillion in 2021 to an estimated $10.5 trillion annually by 2025.

CYBERSECURITY IN PRIVATE EQUITY

In the private equity sector, there has been an increase in awareness of cyber risk and threats among General Partners (GPs). This shift has been driven by Limited Partners (LPs), who are seeking a better understanding of how firms are securing their own environments and how they are addressing cyber risks with portfolio companies. To address this issue, the Institutional Limited Partners Association (ILPA), a global organization representing limited partners, has issued a revised standardized due diligence questionnaire with added cybersecurity components. Private equity (PE) firms are in a unique position to address cyber risks by taking an active role in the companies they invest in and implementing best practices to protect against cyber threats. Thoma Bravo, a private equity firm that specializes in investing in software and technology companies, is an example of a firm focused on cybersecurity¹. The firm has invested in several cybersecurity companies, such as Barracuda Networks, Centrify, and Imperva, to help them grow and become leaders in the industry. Blackstone is another example of a private equity firm that has invested in cybersecurity companies, such as FireEye, to expand its product offerings and global presence. The impact of cyber threats on businesses cannot be underestimated, as they can result in significant financial losses, reputational damage, and legal liability for those who fail to adequately protect themselves. Therefore, private equity firms' efforts to address these risks are essential in today's digital landscape.

HOW SHOULD PRIVATE EQUITY FIRMS RESPOND TO THESE RISKS?

An effective strategy for managing cyber risk involves establishing a simplified and manageable process that treats cyber risk as equivalent to other forms of risk, such as market risk, counterparty risk, and legal risk. To achieve this, it is important that formal practices for managing cyber risk align with existing risk management approaches. This means treating cyber risk as just another type of risk, rather than as a distinct and separate category. To this end, a well-designed approach to managing cyber risk might exhibit the following characteristics:

1. ²Informed – the approach should promote and support awareness of current cyber risks, including regulatory and legal considerations.
2. Manageable - any risk evaluation should be performed in a way that is manageable, does not overwhelm the business, and does not disrupt day-to-day operations.
3. Digestible - the reporting generated should be in plain English and easily understood by key risk personnel, including COOs, deal teams, and boards of directors.
4. Actionable - the reporting should be clear and provide reasonable next steps to address identified cyber risks. In this way, a streamlined and integrated approach to managing cyber risk can be established, minimizing the negative impact of cyber threats, and ensuring that they are treated with the same importance as other forms of risk.

AN EFFECTIVE APPROACH TO ADDRESSING CYBER RISK WITH PORTFOLIO COMPANIES

If a serious cybersecurity event affects a private equity (PE) firm or one of its portfolio companies, it can put the firm's reputation at risk among stakeholders, regulators, and investors. Therefore, it is important to plan a cybersecurity review of portfolio companies that is efficient, measurable, repeatable, and actionable. The review should be a summary assessment supported by an established cybersecurity control framework, such as the National Institute of Standards and Technology or the International Organization for Standardization, and should not necessarily require a comprehensive security risk assessment. It should produce clear outputs that are quantitative and baselined, and it should be executed periodically to capture potential changes in the portfolio companies' cyber risk, such as the migration of systems to the cloud. The reporting should be clear and include reasonable next steps for portfolio companies to address any urgent identified cyber risks.

In India, there are several laws and regulations that aim to safeguard against cyber threats, including the PE and VC space. One such regulation is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011³. These rules require all companies to implement reasonable security practices and procedures to protect sensitive personal data or information from unauthorized access, use, disclosure, and destruction. This applies to all companies, including those in the PE and VC space.

Another regulation that specifically applies to the PE and VC industry in India is the Securities and Exchange Board of India (Alternative Investment Funds) Regulations, 2012⁴. These regulations require all alternative investment funds, including PE and VC funds, to establish proper risk management systems and processes. This includes identifying and assessing risks related to cyber threats and taking measures to mitigate those risks.

In addition, the Reserve Bank of India (RBI) has issued guidelines on Information Security, Electronic Banking, Technology Risk Management, and Cyber fraud. Although there may not be specific regulatory guidelines from the RBI governing cybersecurity in private equity firms, they may still be subject to other applicable laws and regulations related to data protection, privacy, and cybersecurity, depending on the jurisdiction and industry in which they operate. It is recommended that private equity firms consult legal professionals specializing in cybersecurity and data privacy to ensure compliance with relevant laws and to establish appropriate cybersecurity frameworks and protocols.

Finally, the Indian Penal Code (IPC), 1860, and the Information Technology Act, 2000⁵ also provide legal recourse against cyber threats. Under the IPC, cyber threats may be classified as offenses such as theft, fraud, and mischief, and the offender can be punished accordingly. The Information Technology Act, 2000 provides specific provisions for cyber offenses such as unauthorized access, hacking, and damage to computer systems.

Overall, the Indian legal and regulatory framework provides significant safeguards against cyber threats to the private equity and venture capital industry.

CONCLUSION

In the ever-changing landscape of cyber threats, it is crucial for PE firms to remain vigilant and take measures to anticipate and manage potential risks. These risks can arise from various sources, including third-party vendors and portfolio companies and it is therefore imperative that PE firms stay up-to-date with regulatory requirements and best practices to mitigate these risks and ensure profitability for their portfolio companies. Cybersecurity has become a top priority for businesses, and PE firms are taking an active role in helping their portfolio companies tackle cyber threats by implementing cybersecurity best practices in them as well. Additionally, the trend of more PE firms investing in cybersecurity companies and contributing to the advancement of cybersecurity technology is likely to continue.

Footnotes

1. https://www.thomabravo.com/companies as accessed on 12th May 2023.

2. https://www.forbes.com/sites/forbestechcouncil/2022/07/27/5-best-practices-to-ramp-up-cybersecurity-at-private-equity-and-vc-firms/?sh=68c82c10102d

3.Ministry of Electronics and Information Technology, "Information Technology (Intermediaries Guidelines) Rules, 2011" (https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf) as accessed on 7^th May 2023.

4. Securities and Exchange Board of India (Alternative Investment Funds) Regulations, 2012 (India) (https://www.sebi.gov.in/legal/regulations/apr-2017/sebi-alternative-investment-funds-regulations-2012-last-amended-on-march-6-2017-_34694.html) as accessed on 7^th May 2023.

5. Information Technology Act, 2000 (https://www.meity.gov.in/content/information-technology-act-2000-0) as accessed on 8^th May 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.