Private equity firms are failing to adequately manage cyber-risk in their portfolio companies, with a fifth (19%) of such businesses found to feature easily exploitable vulnerabilities, according to BlueVoyant.
The security vendor chose a group of private equity firms at random and analyzed the 780 unique portfolio companies they had invested in to compile its report, Private Equity A Look at Portfolio Company Cyber Risk.
It revealed that 149 of these companies, or around a fifth of the total, had so-called “zero tolerance findings.” BlueVoyant categorizes these as:
- Known critical vulnerabilities in software on internet-facing systems, where a patch is available
- Malicious activity, involving “beaconing” from inside the organization to known malicious infrastructure
- IT hygiene, specifically open or misconfigured ports exposed to the internet, which can be probed to gain access via credential stuffing and other techniques
The companies impacted had between one and 11 of these findings, with more than half having two or more and almost a quarter having six or more.
Some 70% of critical internet-facing findings came in the area of IT hygiene.
Here, the most common open or misconfigured ports related to remote desktop protocol (RDP), a major vector for ransomware. This accounted for 27% of findings, versus 18% for Server Message Block (SMB) and 17% for Windows Remote Management (WinRM).
Most impacted portfolio companies were located in the US (222) and the UK (133) although proportionately these countries fared better than the average, representing just 13% and 12% of the total respectively.
Those companies in the tech sector were twice as likely as the average portfolio firm to feature zero tolerance findings, at 39%. Those in professional services (21%) were about average, while retail (17%), manufacturing (16%), financial services (13%) and healthcare (12%) fared better.
BlueVoyant claimed that while private equity firms recognize the importance of cyber-risk, many prioritize “speed of deal” over due diligence. The vendor argued that point-in-time assessments are not sufficient for managing risk amid constantly evolving threats and technologies.
The financial repercussions of a serious security breach could be significant for private equity firms, BlueVoyant argued.
“When it comes to private equity portfolio companies, we see a wide range of cyber-defense postures,” said Dan Vasile, vice president of strategic development at the firm.
“Cybersecurity as a subset of risks is sometimes overlooked. This analysis confirms the need to prioritize cyber-defense in order to protect portfolio company value. The private equity space is beginning to get on track. However, we must button-up the entire process to protect those vulnerable entities, as well as ramping up cyber-defense against less easily exploitable but equally damaging threats.”