In the first of a three-part series, I explored cyber due diligence best practices for private equity firms. In this Part II, Dan Frusciano, Liberty Mutual’s North America head of cyber underwriting, and I will examine the role PE boards play in cyber security and how they can amp up their expertise to meet the growing demands and complexities of cyber security.
As I wrote previously, cyber risk is multi-dimensional for PE firms in that they face cyber security issues for their portfolio companies as well as for the firm itself. While in the past firms might have relied on the boards of their investment companies to evaluate cyber risk, the approach and thinking is rightfully changing. It is now increasingly recognised that PE boards should be armed with the expertise to drive a firm’s overall cyber security approach so that risk is looked at consistently and holistically. If not, should a breach occur, a private equity board may face scrutiny for being negligent if they have not recommended or pushed cyber security.
Role of regulation
The Dodd-Frank Act, which requires that there be a finance expert on public company boards, forever changed the makeup of board composition. Dan and I agree that in the next 10 years we likely will see something similar play out for cyber security. We anticipate it will become a requirement of public companies – and that private companies will follow suit – to have a cyber security expert on their board, or else face fines from the SEC or other regulatory institutions. The lack of one will indicate, whether true or not, that the right level of oversight was lacking over cyber security should an incident occur.
In fact, we are currently seeing the breadcrumbs of formal board-level cyber security oversight beginning with the following disclosure law that was signed into law in 2022. This legislation requires companies to report “any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.”
Steps to strengthen cyber security expertise
There are four concrete actions private equity boards can take now to amp up their cyber expertise:
- Accessibility for CISO. For private equity firms, a major hold-up in having a cyber expert on the board is that there are just not enough people with the necessary cyber skills and knowledge at the board level to fill those seats. The solution is to increase the presence the chief information security officer (CISO) has at the board level, but not to a fault as the CISO can only be spread so thin across a firm’s portfolios. A balance should be struck between a board providing this accessibility for the CISO while also developing its own cyber expertise.
- External expertise. Smart boards should recognise the limits of their own expertise and turn to others to augment their cyber education. This could include inviting cyber industry experts to talk about certain cyber topics, from ransomware to cyber security and blockchain, at board meetings.
- Solid public sector relationship. Boards should ensure they know the right people to engage if a breach occurs. This may include the FBI or state and local representatives. Having mature relationships with these entities can help smooth the way for a transparent and speedy response.
- Training. Board members need very specific training on cyber above and beyond foundational training that is different than rank-and-file employees, managers or even the c-suite. This training should center on the board’s role in defining cyber security strategy, implementing that strategy and holding the c-suite accountable on cyber security.
Cyber is a peril that touches all companies, from the small corner bakery to a mega Fortune 500 business, making cyber risk a must-address issue for boards. Cyber knowledge gaps can be addressed and strategic steps taken so that a board can confidently influence a firm’s approach to cyber to help protect investments and build the business.
Liberty Mutual’s dedicated underwriters, close partnerships with our clients and brokers, and expert mitigation and claim resources help us deliver cyber liability solutions appropriate to the individual needs of companies across geographies and industries. And learn more here about how we help private equity firms manage their unique risk needs.