Evolving your due diligence process to keep up with the shifting technology landscape

Private funds CFOs are no stranger to risk management. Every new investment in a portfolio company requires extensive due diligence across multiple areas. Among these efforts, cybersecurity should be an area of particular concern and intense scrutiny.

An organization’s cybersecurity posture represents a potential financial risk to investors, as well as a personal risk if investors’ information is compromised. In total, cybercrime is expected to cost $10.5 trillion globally by 2025, according to Cybersecurity Ventures.¹ If cybercrime were measured as a country, it would be the world’s third-largest economy, behind only the U.S. and China.

Ransomware schemes in particular continue to present problems. After incidences fell in 2022, these schemes surged in 2023, up 74% year over year as attacks became more frequent and widespread.²

The damage from ransomware attacks can have a long tail. In October 2024, the U.S. Securities & Exchange Commission reached settlements ranging from $990,000 to $4 million with four companies that made materially misleading disclosures about their cybersecurity posture after suffering breaches related to the 2020 SolarWinds Orion hack.

In my experience, it’s almost always better to identify threats and deploy critical cybersecurity controls before you close on an investment with a new portfolio company. It’s equally important to remember that threats and systems change. Ensuring your portfolio is resilient in the face of a wide range of evolving attacks is a critical, ongoing process.

Your vendors may be your problem

Incidents can come from many vectors. Change Healthcare suffered the largest breach of sensitive information ever reported in the United States due to a ransomware attack it suffered in February 2024.³ In addition to the $22 million ransom payment the organization made, severe system disruptions, reputational damage and loss of business, executives found themselves explaining to a congressional committee that the attack took place because one of its critical services was not configured with multi-factor authentication.

That experience underscores the risk of failing to look deeply enough into an organization’s systems. Your protection is only as strong as the weakest link. Deficient disclosures and inappropriate controls can lurk among third-party vendors with access to your organization’s data. That risk is especially dangerous given that an information breach can broaden the threat from an operational one to something much bigger, as in the case of Change Healthcare. Consider how a breach of sensitive information about institutional investors, family offices or private accredited investors could affect your firm’s ability to raise additional funds. It’s vital to ensure controls are implemented strategically throughout your own systems and your third-party vendors’ systems.

Beware of “black-box” technology

In terms of cybersecurity, the recent rapid advancements in artificial intelligence have been a double-edged sword. New tools are making it easier than ever for hackers to deploy exploits and ransomware schemes. At the same time, AI tools offer security teams opportunities to become more efficient at prioritizing and addressing vulnerabilities by automating critical updates and detecting suspicious patterns of network traffic. The advent of AI has enabled some security teams to monitor and respond to new exploits at speeds many multiples faster than in the past. However, the bad actors have access to the same technology, so I expect we’ll continue to see an arms race on this front.

As new tools become available, it’s important to understand how they can introduce new risks. For example, to guard against unintended violations of copyright law, private funds CFOs should consider what intellectual property may have been used to train an AI model. If you’re using AI to analyze portfolio company candidates ahead of investment decisions, it’s important to know how the decision-making sausage is made. It’s also critical to properly vet models and provide appropriate legal disclosures to any end users, especially external customers or clients.

Implement controls strategically and methodically to reduce risk

While risk management is critical, it doesn’t necessarily have to be all-encompassing. Few funds CFOs have unlimited resources to throw at cybersecurity issues. It’s best to achieve a balance between risk reduction and the cost of implementing a given tool or technology.

A robust cyber insurance policy can help quantify the potential cost of a cybersecurity incident and guide the level of risk mitigation you might need. Requiring portfolio companies to carry cyber insurance isn’t always possible, however. In its stead, I believe there’s no replacement for a careful risk assessment that includes vulnerabilities related to third-party vendor services and technologies.

To come up with the right mix of controls, lean on expertise anywhere you can find it. If you have the luxury of a partner or teammate who acts as an interim chief information officer for portfolio companies, they could be a great resource for identifying and implementing controls appropriately. Your internal IT department can help as well.

Third parties with knowledge and expertise include managed service providers and third-party cyber risk consulting firms that can often do assessments and make appropriate recommendations. Insurance brokers and insurance companies can be a valuable source of assistance as well.

Cybersecurity is not a one-and-done operation

Cyber threats are always changing. The technologies, tools and vendor partners in any organization can change as well. Regular risk assessments are critical for addressing operational, investment and reputational risks. Building cybersecurity controls into your due diligence process and methodically revisiting those controls to ensure they remain appropriate can help you maximize the full potential of your portfolio investments while also protecting your firm and investors.