Cybersecurity: What legal strategies can protect and enhance business and private equity portfolio value?

Cybersecurity resilience is increasingly becoming a measure of value for businesses and Private Equity portfolios. Real Deals magazine recently estimated that healthcare software provider, MediSoft Solutions, had its price reduce by £2m due to cyber security issues that needed remediation. On the more established end of the scale, Marks & Spencer's reported £300m in profit loss and a loss of £1bn in stock market value due to the well-publicised cyber-attack in April this year. Both incidents demonstrate how vulnerabilities can result in existential value losses for businesses of all sizes.

Where a single cyber event can wipeout business value, robust cybersecurity implementation moves from the realm of IT risk-management to a genuine value creation opportunity, and one that differentiates businesses from other more at-risk firms.  

Resilience to cyberattacks, and being able to demonstrate that resilience via compliance policies and tech vendor DD, is therefore a critical component to any portfolio investment decision.

In this article, we outline the legal strategies that, when combined with technical expertise, can help safeguard and enhance portfolio value.

Reduce regulatory risks with robust data protection policies and compliance frameworks

Data protection regulation in the UK and EU requires businesses across sectors to take steps to prevent serious breaches of personal data. Implementing the necessary procedures and policies to comply with the laws helps reduce the risk of regulatory enforcement, regulatory fines and the corresponding reputational damage. Increasingly, businesses must also consider new laws including sector specific regulation relating to operational resilience for firms in or supporting critical infrastructure or financial services as well as new rules governing the use of AI systems such as the EU AI Act and UK AI Principles which require additional steps to optimise cyber security. 

Turn cyber-security compliance into a value creation strategy

By implementing effective compliance measures (policies, procedures etc,), businesses will not simply be going through the motions to protect individual data rights and appease the regulator. The exercise will implement demonstrable frameworks to prevent cyberattacks, which in turn drastically reduces the risk of reputational, financial and operational damage and resulting value destruction.

Protect against third-party risks with strong vendor contracts and due diligence

We now know that M&S's cyber security breach was likely caused by a third-party vendor compromise. This raises a fundamental question – how will the liability apportioned for M&S's extensive losses? Undoubtedly the answer will be fought over in courts for years to come, and the apportionment will rest largely on the precise wording of the contractual provisions in place between the parties. It is for this reason that we increasingly see cyber security and data breach clauses as the most hotly contested provisions in any technology procurement negotiations. It's crucial that businesses have water-tight agreements in place with their software providers and IT consultants to ensure they are well protected.

Find out more

One serious cyber breach can wipe out years of value creation, trigger costly litigation, and damage investor confidence. Our flagship BreachReddi service is built to help Private Equity firms and portfolio leaders get ahead of these risks.

By working with industry experts THREESIXTY and Integrity 360, we have developed an integrated and unique approach which covers cybersecurity, data governance and crisis communication.

To find our more about BreachReddi or discuss any of the issues in this article in more detail, get in touch with a member of our expert team.