PE firms put cybersecurity on speed dial - Private Funds CFO

Technology Cyberattacks don’t wait to happen during work hours. They strike late Friday night or during long weekends, and for private equity firms, the question isn’t if something will go wrong, it’s when. And PE firms are responding by keeping cybersecurity experts on retainer. “It’s not just about preventing a cyberattack anymore – that ship has sailed in many cases,” said Rocco Grillo, managing director with consulting firm Alvarez & Marsal’s disputes and investigations group and head of the firm’s global cyber risk and incident response services practice. “It’s about being ready to respond. You’ve probably heard the term ‘cyber resilience’ – that’s the name of the game now.” An incident response retainer is a pre-negotiated agreement that ensures help is ready to go when a breach happens. “Think of an incident response retainer like a fire drill,” Grillo explained. “You don’t want to be figuring out your plan after the fire starts. Before you even sign a retainer, you need to ask: Do we have an incident response plan? Have we tested it? Who makes the decisions in a crisis?” The high cost of delays Incident response retainers establish a relationship and process so when a cyber attack occurs, firms are not scrambling to contain an issue and discover how it happened and how best to respond. “If you’re reaching out for help during a crisis without a retainer in place, it’s going to cost more. And worse, it’s going to take longer to respond,” Greg Slayton, a director at ACA Aponix, said. The services offered through a retainer vary, but generally include immediate incident response, forensics, ransomware playbooks and readiness testing. Many retainers also bundle in training, threat hunting and virtual CISO services, which provide strategic advisory beyond just crisis management, Slayton said. Retainers through cyber insurance Cyber insurance policies often include access to pre-approved incident response providers, but the coverage is typically limited. “Insurance pays for triage – stopping the bleeding. Once the immediate threat is contained, the clean-up and deeper remediation often fall to the organization. That’s when the costs start to mount,” said Ryan Castle, CEO & founder of Conduit Security. Incident response retainers are similar to legal retainers, with PE firms paying a cybersecurity firm to be available when needed. Generally, retainers activate only in the case of significant incidents, not for minor concerns, Castle explained. Some insurers require clients to use their preferred vendors for reimbursement. Grillo noted that even in those cases, firms still need to choose from a list and get contracts in place before something happens. “You don’t want to be figuring that out while you’re under attack,” he added. The legal response Many law firms also provide incident response support, especially when data and communications need to remain privileged. Some law firms have pre-established relationships with cybersecurity teams and can lead co-ordination with regulators, law enforcement and the media. “If it’s a privileged matter, you’ll want outside counsel involved from the start,” Grillo said. Not every firm has suitable coverage through insurance. In those cases, going directly to a reputable cybersecurity provider is a solid path. That means doing homework on such providers. The independent edge “You want 24/7 coverage, a team big enough to handle multiple incidents and a provider with experience in your industry,” Castle said. “Ask for references. Look into their track record. Some firms have former law enforcement on staff, which can really help when dealing with federal agencies.” Castle added that if a firm opts to secure a retainer independently, it can lead to a more direct and tailored relationship, often providing broader services than those available through insurance. However, independent firms may face challenges in negotiating favorable rates compared to larger firms that work with insurers regularly. Slayton also noted that good incident response providers don’t just show up when something breaks. They also help prevent problems through readiness assessments, tabletop exercises and forensic recovery capabilities. “If an incident occurs, you want someone that knows how to preserve and analyze evidence related to the breach, enabling organizations to understand the root cause of the problem and prevent future incidents,” Slayton said. A global reach? Private equity firms with international holdings need to ensure their cyber partners can operate across all jurisdictions.  “You don’t want a partner that’s only US-based if you’ve got operations in Europe or Asia,” Grillo warned. And collaboration is key. Your incident response firm needs to work well with your outside counsel, PR team, managed security services providers and others in your crisis response ecosystem.