How private equity firms protect their investments from value losses

Private equity: How secure deals and transactions succeed

Blick in Hochhäuser
  • Article
  • 3 minute read
  • 14 Sep 2023

The number of attacks on digital services and digital infrastructures has risen sharply over the last time. One of the reasons is, for example, cybercrime as a service, where phishing or ransomware attacks can be purchased for little money on the darknet. Organisations of all sectors and sizes are the targets of attacks. They are struggling with such dramatic consequences as reputation damages, fines, and revenue losses.

The heightened threat situation also poses great challenges for private equity firms. If they do not check the level of cyber security before the deal, enterprise and deal value can quickly be overestimated. Furthermore, cyber risks reduce the overall value of the investment portfolio. Vulnerability scans and cyber security due diligence allow for a profound assessment of the situation and an accurate examination of risks.

The most important in 30 seconds

  • Increasingly complex cyberattacks and strict regulatory requirements such as NIS-2 require special protective measures.
  • Only a few private equity firms consistently pursue a holistic cyber security approach. In addition, some PE investors act negligently when they evaluate targets by not sufficiently examining cyber risks.
  • For private equity firms, implementing security measures should be aligned with the portfolio strategy and take appropriate account of specific risks.
  • Vulnerability scans and cyber security assessments create transparency, minimise risk, and protect or increase the investment portfolio’s value – provided that the cyber security measures are also implemented. If the IT security level is convincing, four to five percent higher sales prices can be achieved at the exit.

Your expert for questions

Jörg Asma - PwC Deutschland

Jörg Asma
Partner at PwC Germany
Tel: +49 151 41983077

Increasing regulatory requirements due to NIS-2 Directive

The worsening threat situation is forcing legislators to act. To protect critical infrastructures (CRITIS), in particular from cyber attacks, the EU has adopted the NIS-2 Directive (Network and Information Security). It is intended to ensure a high uniform level of cyber security within the EU. The new directive must be transposed into national law in the EU member states by October 2024 – an extremely tight timetable. In addition, far more sectors are affected by NIS-2 than before. In addition, the new NIS directive provides for stricter supervisory and sanctioning measures.

What does NIS-2 mean for private equity firms?

Those who specialise in holdings in the energy sector or healthcare, for example, must ensure compliance with high-security requirements simply resulting from the CRITIS Regulation and the NIS-2 Directive. For instance, organisations from critical sectors are required to take measures in cyber risk management, supply chain security, business continuity management, penetration testing, and incident response, as well as reporting to the authority and remediation. The extent to which companies comply with all requirements can be determined with cyber security due diligence.

Cyber security scans and assessments make risks transparent

Furthermore, cyber security due diligence helps to thoroughly review and assess the security risks and measures before a deal. In this way, cyber security due diligence can reveal vulnerability to cyber incidents and prevent private equity investors from potentially acquiring their stakes far above fair value.

Whitepaper: Secure deals for private equity firms

How cyber security due diligence protects equity value

Private equity: Protect portfolio from impairment losses

To arm themselves against cyber incidents and protect their digital services and infrastructures in the best possible way, investors need to develop an awareness of risks in their portfolio and take appropriate security measures. The key to this is an overarching cyber risk management that relies on continuous monitoring.

Using effective methods and services, specialised service providers discover individual investments’ vulnerabilities and threats they are exposed to. The scope and level of detail of the analyses – so-called PortCo Cyber Scans – can be individually adapted, for example, to the portfolio strategy, the size of the shareholdings, and different risk profiles.

Regulatory Requirements: High bar for cyber security

The more complex the portfolio, the larger the attack surface. Conversely, even with a small portfolio a single security incident can have severe consequences. Furthermore, if you specialise in investments in critical infrastructure, you must ensure compliance with high-security standards from the CRITIS Regulation and NIS-2.

The evaluations of the regular PortCo Cyber Scans summarise critical findings and provide recommendations for action for appropriate protection. This creates transparency, minimises risk, and protects the value of the investment portfolio. If the IT security level is convincing, four to five percent higher exit prices can be achieved.

Follow us

Contact us

Steve Roberts

Steve Roberts

Partner, PE Leader Germany & EMEA, PwC Germany

Tel: +49 69 9585-1950

Jörg Asma

Jörg Asma

Partner, Cyber Security & Privacy, PwC Germany

Tel: +49 221 2084-103

 Andrea  Schmitt

Andrea Schmitt

Senior Manager, PwC Germany