Specialty Podcast: SEC Cyber Regulations and Their Impact on Private Equity and Portfolio Companies

Intro (00:00):
You're listening to the Alliant Specialty Podcast dedicated to insurance and risk management solutions and trends shaping the market today.

Chris Clark (00:08):
Welcome to another edition of the Alliant Specialty Podcast. Today we'll be focusing in on the SEC's new rules for cybersecurity as it pertains to private equity. Today we're joined by one of my colleagues, Chad Neale, who heads up our Cyber M&A, and we're also joined by special guest, Chris Hetner, former advisor for cybersecurity to the SEC. And I want to let Chris give a little bit of background and introduction to himself.

Chris Hetner (00:36):
Thanks, Chris. Great to be with you. I’ve been in the cyber arena for about 30 years now. Most of my career was spent in Wall Street here in the New York area, supporting security operations and resiliency capabilities across some of the larger banks. I spent five years at Citigroup; five years at GE Capital, was their Global Chief Information Security Officer; a couple years in management consulting; and then an opportunity surfaced to come serve as senior policy advisor to the chair of the SEC. So I worked directly under both Mary Jo White and Jay Clayton in that capacity, largely responsible for informing policy rulemaking prioritization around, we'll call it enforcement activities, as well as some of our advanced analytics in terms of how cyber threats introduce material business operational harm. And now with the new SEC agenda coming through with regards to company disclosures including investment management implications, most of the work that my team has delivered is setting the foundation for how we govern and oversee cyber risk going forward. Now back in the private sector, senior advisor to the National Association of Corporate Directors, we've got just approaching 23,000 members across our portfolio, largely focused on cyber security education, risk resiliency, as well as cyber risk reporting across our boardroom community. I look forward to the conversation today.

Chad Neale (02:01):
Chris, we're so excited to have you as part of this podcast. Your background is going to provide some really helpful insights for our clients. When I look back on 2023, the number of cybersecurity breaches continue to be a problem for PE firms and their portfolio companies. And specifically, the number of attacks that are targeting the portfolio companies themselves. And I know the SEC is definitely getting concerned about the negative impact that's having on investors. And as a result, we saw them come out with some proposed amendments around the Reg SP rule that has been in place, really unchanged for many years. I'm curious, as you look at the proposed amendments to Reg SP, I'd love to hear some of your thoughts about what you saw as being proposed. When do you think we might see those actually being enforced in 2024? And lastly, what surprised you most that you saw and think might be codified?

Chris Hetner (03:07):
That's a great question. Historically. Reg SP has been focused on the protection of personal identifiable information tied to a particular investor. So, think of an account number, the types of investments positions, social security numbers, personal data and those types of requirements still hold through today. What the pivot is going to shift toward is how does the fund, the investment management company, oversee the integrity associated with their investment portfolio? And so with a backdrop around cyber losses reaching trillions of dollars, companies taking hundreds of millions of dollars in write downs, intellectual property theft continues to persist. Business interruption due to ransomware takes out complete operations. These types of events are costing companies write downs through negative implications associated with the balance sheet, and therefore has a negative impact on, from an investment exposure perspective, whether it's a depreciation in the stock, a depreciation in the value of the company tied to intellectual property theft.

So the commission is now taking a leap forward toward not only are we interested in understanding how you're protecting investor data, but how you're protecting the investment portfolio. And so this new investment management role that is likely going to be approved next year, first quarter, is going to focus on that exactly. And in fact, I just recalled in the proposed rule there was some language there that says, you know, even the board of directors can no longer take a passive role on cybersecurity oversight across the investment portfolio. So that's going to be a bit of a shift in terms of how the investment management community oversees their portfolio through the lens of cybersecurity risk management and resilience. And you know, the historical view on this is, again, protect the personal data associated with the investor, but now, how do we deploy investments and capital to make sure that your investment portfolio aligns to the expectations of the investor? And we could see increased disclosures around potential breaches across your investment portfolio as well.

Chad Neale (05:20):
Right. I think that represents a significant shift, as you put it. It's really a paradigm shift when you think about the historical approach private equity has taken to portfolio company risk management and cybersecurity. I know traditionally it's always been more of a hands-off trust management's doing what they should be doing. These proposed changes are going to require a heightened level of oversight. I was also just looking at the priorities that the SEC put forth for 2024, and of course cybersecurity's right there. And some of the things that you mentioned around operational resiliency, protection against ransomware, those are definitely front and center. Love to hear your thoughts on some of those priorities and how those tie back to some of these proposed changes.

Chris Hetner (06:07):
Yeah, the division of examinations issues, that list of priorities every year - cybersecurity, information security, technology risk management - typically falls in one bucket. The priorities for the commission is fairly consistent with the last few years. I would say there's going to be an increased focus on operational resilience. Chad, to your point, the companies are not only realizing traditional data breaches or misappropriation of funds or misappropriation of intellectual property, but they're also realizing significant disruptions to their business operations that's causing hundreds of millions of dollars in write downs and operational loss and significant attrition rate tied to customers’ potential class actions, potential regulatory obligations, counterparty obligations. And so the focus is on not a matter of if, but when the type of business interruption attack occurs. And then the pivot point from there is what types of risk reducing measures and investments are you applying across the company, across the portfolio to meet those risk tolerance levels?

If you're a manufacturer and you're producing widgets, and widgets aren’t able to be produced due to a ransomware event over let's say a five-day outage, that could potentially cost you tens of millions, hundreds of millions of dollars in lost production. And so, the conversation is now that the investment portfolio managers, including the PortCos, need to think through based on your business profile and these potential events being realized, what's the right level of investment that we should be making to reduce that risk? Is a five day outage acceptable? The answer might be yes, but what if the answer is no? And maybe it goes from five days to one day; one day is acceptable, but beyond that, we start losing tens of millions of dollars a day. And so your backed into that risk acceptance or risk tolerance level, a discussion around where to deploy capital, how much risk you're willing to accept, where to mitigate that risk most effectively. And then how do you optimize your risk transfer policies aligned to those risk domains accordingly? I've seen many companies that have misaligned insurance policies tied to the business profile where, suddenly they have an outage of 48 hours, they go to their insurance carrier or their broker, and the policy wasn't written for that particular loss power category. So starting with the proper alignment of the policy to that loss category, backing that into your comprehensive plan, if this is exactly where the commission's going with this in terms of resiliency.

Chris Clark (08:45):
That's an interesting take there, especially around what private equity and their portfolio should be looking at as far as a risk tolerance. A lot of things that Chad and I, when we're talking to our clients, one of the things they're asking us, what are the key four steps that we need to take, not only at the fund level, but at the portfolio level? What would you say the four pillars are the SEC will have from a requirement perspective going into '24?

Chris Hetner (09:08):
It starts with the board and the oversight of the portfolio companies individually as well as an aggregate. How effectively do you have a handle across how those portfolio companies are organized by industry sector? How effectively is the board engaged in terms of oversight? The next step is around due diligence upfront. Are you buying an asset that has been compromised or are you buying an asset that has some type of exposure that hasn't been realized as part of due diligence? So having that due diligence up front is going to be a focus area. Third is the oversight across the portfolio. So drilling down into by segment and by industry vertical type, what are the most likely cyber threats that are going to occur and impact those individual companies, those individual segments, and what are you doing about it from a capital investment perspective? Cyber threat exposure to the healthcare vertical is going to look different compared to manufacturing.

Going to look different compared to a payment system processor; is going to look different compared to an energy company. So having those organized by industry sector and drilling into how effective you're overseeing and making sure that those deployments of investments are being applied effectively. And then I think, fourth, how do you translate or contextualize your cyber threat landscape through the lens of the business? And so historically in the private equity industry, we've taken a technology hammer to this issue. We've done continuous technology scanning, we've done continuous bottom up security assessments. And those will continue to evolve. But how do we bring that technical exposure to business, operational, financial context so that we understand the exposure through that lens and then we're effectively communicating that upstream to the board of directors.

Chad Neale (10:55):
That to me is such an important point that you raise here because as you mentioned, we've thrown a lot of technology at this problem. If you look at the investment in cybersecurity technology over the last 10, 15 years, the investment's got a very steep curve, but yet you still see so many of these attacks wreaking havoc, not only in private equity owned businesses, but in general. But to this audience, the impact it's having on their investments is dramatic. And so I think what you're saying here is tools and technologies, that's important, but you need to raise this up to a board level discussion so that you can make those decisions around risk acceptance, resource allocation, budget, so that it's got the appropriate eyes on this issue and you really take more of a risk management approach versus just throwing a bunch of technology and hope you're aiming at the right spot. How do you feel about that, Chris?

Chris Hetner (11:55):
That's spot on Chad. In fact, I would argue complexity is the enemy here. And so if you're managing a portfolio of let's say 50 companies, it's probably in your best interest to think through how to simplify the technology stack and the investments in cybersecurity across all those portfolios, across the companies within the portfolio. And how do we create some commonality? How do we reduce fragmentation? And by the way, by reducing fragmentation, you achieve two positive objectives. Number one, you reduce the exposure because now you're creating more consistency across the platform. But two, you can drive down cost and both objectives should be extremely appealing to a private equity company overseeing the portfolio. And then you're driving value, you're de-risking the asset and providing more efficiency. So I think this will be a priority going forward. And I would advise boards of directors and executive management teams within their portfolio companies to start looking at their portfolio company through the lens of rationalizing and simplifying the technology stack.

Chris Clark (12:59):
Chris, you mentioned simplifying the solution at the fund level down to the portfolio. How heavy handed do you think private equity sponsors should be with their portfolio and in conjunction to what potentially the penalties will be for non-compliance or the inability for them to explain how they're protecting the digital assets of their portfolio?

Chris Hetner (13:18):
Having led a fairly small practice for focusing on private equity firms and obviously my role at the SEC looking in the investment management space, realizing that there are different types of strategies, there are more active private equity firms that acquire and operate the asset. And then there's the other side of the spectrum, is more of a passive investor, but the ones that are acquiring the asset, having operating partners involved, I think it's going to be more of a heavy-handed approach, especially upfront through due diligence and oversight. But if you're more of a passive investor, you should be asking those right questions.

Chad Neale (13:57):
Chris, I was going to ask about with these risks that we're talking about and with the SEC focusing in here, I still am surprised when I talk to my private equity clients and prospects about due diligence and they ask me, well, I'm investing in manufacturing, do I really need to have cybersecurity due diligence? Is it part of this or it's really industry specific. And my answer's always been, everyone has this risk and ransomware has really changed the game because everybody has that operational risk that ransomware brings to bear. So you may not have information that you think could be sold on the black market and would have someone actively trying to steal that from you, but you still need to run a business and if you can't get to your data, run the business, you're going to have some major problems. And those problems add up to serious dollars, very quick. So when you think about due diligence, what's some of the guidance that you give your clients around how to approach cybersecurity in that phase and what are you trying to get out of that, both from a pre-deal perspective and a post-acquisition point of view?

Chris Hetner (15:08):
It's a great question. And it really aligns nicely with the way we deliver board oversight and through the National Association of Corporate Directors. And what we do is we contextualize the business context associated with the asset that you're looking to acquire through your due diligence and realizing that you don't have an unlimited amount of time as part of that upfront due diligence. So you've had to be precise and targeted against those risk areas that are most relevant to that particular asset. And so we arm the boardroom, we arm chief risk officers, chief investment officers with data around the business context, the specific threats impacting that particular company aligned to that particular vertical. And then quickly get to, here are the top five areas that are introducing financial exposure. Here are the top five areas you should focus on in order to reduce the risk and then equip the due diligence team with that data so that they are asked the right questions and then they're receiving the right information in an efficient way.

And if you are missing those investments or you're realizing that this asset that you're acquiring has potential exposure, unnecessary debt, unnecessary inadequate hygiene, then your risk profile goes up. And that should be used as a leverage point for negotiations for remediation. The commission is going to start looking at this very closely representing the investor community, particularly through the enforcement organization. And then secondly, beyond the SEC, this is now opening up the aperture for class action suits through other organizations. So you've got two ends of it. You've got exposure from the SEC, but also from the investor community.

Chad Neale (16:48):
That's some seriously powerful advice right there, because we all know that a cybersecurity breach is not a matter of if, it's just a matter of when. And if we all agree to that, and now you've got the SEC and potential lawsuits coming from investors when they feel like they've been harmed. You want to be able to tell a really good story about the due diligence that you did and how you validated that there were appropriate safeguards in place. Because that's going to come out, I would imagine, in any kind of class action or enforcement by the SEC. So making sure you've done your due diligence and you can say that you looked in the right areas and so on is going to be really critical. Chris, thank you so much for sharing your insights here today with us, having somebody with your intimate knowledge of the inner workings of the SEC, how they're staffing up for this, the priorities and what that means to our clients and the prospects. I just want to thank you so much for your time and sharing those insights. I'd also like to let the audience know that we will be in New York with Chris Hetner January 29th. It's a pre-PEI private funds for the CFO event that we're hosting. And we would certainly welcome anybody that would be interested in joining that. Please reach out to myself or Chris Clark for more information. And again, thank you so much Chris Clark, thank you for partnering with me on this podcast and thank you audience for joining us.