Security, Privacy, and Compliance

Security & Compliance in Private Equity Portfolios: The Overlooked Priority

Drawing on my extensive experience of conducting over 300 IT and Security diligences across a spectrum from low mid-market to billion-dollar companies, a striking observation stands out. Upon completion of the diligence and readout, and despite the private equity firms’ best efforts to fortify their portfolio companies, a startling reality emerges: approximately only 20% of these companies place a premium on security and compliance post-close and remediate the opportunities for improvement. The remaining 80% do not address any diligence findings, with a view that “if we have not been hacked, we should be secure”.

For the minority that does acknowledge its significance, the approach often taken is one of minimal compliance—the “path of least resistance”—doing the bare minimum required. Why does this happen? Several factors contribute to this oversight.

1. Security, privacy, and compliance initiatives are often not seen as directly contributing to company growth, leading to their undervaluation. Qualifying for cyber liability insurance is viewed as a barometer for the success of the information security program, which it is not a legally defensible approach.

2. Many executives underestimate their importance relative to other company projects. Cyber is often viewed as a “nice to have”, which is more of a requirement for high risk/highly regulated entities such as banks and health care providers.

3. There’s a pervasive mindset of complacency—”if the house isn’t on fire, everything must be fine”—which ignores the latent risks until they erupt into urgent crises.

4. Both PE firms and their portfolio companies frequently base their decisions in these areas on the advice of inexperienced in-house teams or Managed IT Services providers lacking deep, hands-on security expertise. Outsourcing security decisions to IT Managed Services Providers requires a high degree of oversight, which in turn requires skilled in-house IT personnel. Thus often times, PE firms and their portfolios do not realize the value of having a MSP, and worse, do not have adequate insight into cyber threats their companies are facing.

5. The inhouse resources do not keep up with or are knowledgeable on the latest security software, thus the Company has outgrown the level of sophistication. If the Company is supported by a 3rd party Managed IT Service Provider, the vendor has a one-size-fits-all approach and thus the Company is not fully protected.

This combination of factors results in a landscape where the critical areas of security and compliance are sidelined, posing significant risks not just to the companies themselves but also to their stakeholders and investors.

Our IT Support Services are 100% focused on Private Equity-Backed Companies.

Contact Compello Partners for a Complimentary IT Assessment