How PE boards can amp up their cyber expertise
Authored by Liberty
In the first of a three-part series, I explored cyber due diligence best practices for private equity firms. In this Part II, Dan Frusciano, Liberty Mutual’s North America head of cyber underwriting, and I will examine the role PE boards play in cyber security and how they can amp up their expertise to meet the growing demands and complexities of cyber security.
As I wrote previously, cyber risk is multi-dimensional for PE firms in that they face cyber security issues for their portfolio companies as well as for the firm itself. While in the past firms might have relied on the boards of their investment companies to evaluate cyber risk, the approach and thinking is rightfully changing. It is now increasingly recognised that PE boards should be armed with the expertise to drive a firm’s overall cyber security approach so that risk is looked at consistently and holistically. If not, should a breach occur, a private equity board may face scrutiny for being negligent if they have not recommended or pushed cyber security.
Role of regulation
The Dodd-Frank Act, which requires that there be a finance expert on public company boards, forever changed the makeup of board composition. Dan and I agree that in the next 10 years we likely will see something similar play out for cyber security. We anticipate it will become a requirement of public companies – and that private companies will follow suit – to have a cyber security expert on their board, or else face fines from the SEC or other regulatory institutions. The lack of one will indicate, whether true or not, that the right level of oversight was lacking over cyber security should an incident occur.
In fact, we are currently seeing the breadcrumbs of formal board-level cyber security oversight beginning with the following disclosure law that was signed into law in 2022. This legislation requires companies to report “any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.”
Steps to strengthen cyber security expertise
There are four concrete actions private equity boards can take now to amp up their cyber expertise:
- Accessibility for CISO. For private equity firms, a major hold-up in having a cyber expert on the board is that there are just not enough people with the necessary cyber skills and knowledge at the board level to fill those seats. The solution is to increase the presence the chief information security officer (CISO) has at the board level, but not to a fault as the CISO can only be spread so thin across a firm’s portfolios. A balance should be struck between a board providing this accessibility for the CISO while also developing its own cyber expertise.
- External expertise. Smart boards should recognise the limits of their own expertise and turn to others to augment their cyber education. This could include inviting cyber industry experts to talk about certain cyber topics, from ransomware to cyber security and blockchain, at board meetings.
- Solid public sector relationship. Boards should ensure they know the right people to engage if a breach occurs. This may include the FBI or state and local representatives. Having mature relationships with these entities can help smooth the way for a transparent and speedy response.
- Training. Board members need very specific training on cyber above and beyond foundational training that is different than rank-and-file employees, managers or even the c-suite. This training should center on the board’s role in defining cyber security strategy, implementing that strategy and holding the c-suite accountable on cyber security.
Cyber is a peril that touches all companies, from the small corner bakery to a mega Fortune 500 business, making cyber risk a must-address issue for boards. Cyber knowledge gaps can be addressed and strategic steps taken so that a board can confidently influence a firm’s approach to cyber to help protect investments and build the business.
Liberty Mutual’s dedicated underwriters, close partnerships with our clients and brokers, and expert mitigation and claim resources help us deliver cyber liability solutions appropriate to the individual needs of companies across geographies and industries. And learn more here about how we help private equity firms manage their unique risk needs.
About Liberty
Liberty Specialty Markets offers specialty and commercial insurance and reinsurance products across key UK, European, Middle East, US and other international locations.
We provide brokers and insureds with a broad range of products through both the Company and Lloyd’s markets and have over 1,700 staff in approximately 65 offices. Liberty Specialty Markets was established in September 2013 bringing together Liberty’s company, syndicate and reinsurance operations into one combined operation, composed of three business units: Commercial, Specialty, and Reinsurance (Liberty Mutual Re). This integrated approach means brokers and clients can benefit from our global reach and operating efficiencies.
Liberty Specialty Markets is part of global insurer, Liberty Mutual Insurance Group, a diversified global insurer, formed in 1912 and headquartered in Boston, Massachusetts. Liberty Mutual is the 5th largest global insurer based on 2017 gross written premium, with over 50,000 employees in 30 countries and economies around the world. Our purpose is to help people embrace today and confidently pursue tomorrow. The promise we make to our customers throughout the world is to provide protection for the unexpected, delivered with care. We achieve this by offering a full range of personal, commercial, and specialty Property & Casualty insurance coverages. Our customers’ trust has earned us the 68th spot on the Fortune 100 list of largest corporations in the U.S., based on 2017 revenue.