Addressing Cyber Threats

By: Megan Starr

As the world recovers from the challenges presented by COVID-19, businesses are experiencing a rapid transformation in how their customers, employees, and suppliers interact. While these changes have unlocked new opportunities, we also believe they have enabled an unprecedented number of cyber threats.

Carlyle seeks to ensure that our portfolio companies have the capabilities necessary to protect against and respond to cyber threats. This key tenant of our technology strategy is also embedded across multiple material-issue categories in the Sustainability Accounting Standards Board (SASB) framework, from data security to customer privacy and critical-incident risk management.

We’ve made cybersecurity a central focus of how we evaluate investments and support our portfolio companies in developing their technology strategies. Our Global Investment Resources (GIR) Technology team established a cybersecurity platform for our portfolio companies that enhances their internal capabilities with a global network of experts, risk transfer tools, and leveraged supplier agreements. Through continuous engagement, we provide portfolio companies with support to assess their level of cyber risk, protect critical assets, and implement programs for ongoing improvement.

Assessing Cyber Risks

In a constantly evolving threat environment, understanding cyber risk is a prerequisite for executing an effective cybersecurity strategy. Starting in the diligence process, we take a standardized approach to assessing cyber risk in potential investments within our Global Private Equity portfolio. Our findings are fed into a value creation plan that provides a prioritization summary and roadmap for addressing opportunities for improvement. To ensure that these efforts are having a material effect, several portfolio companies are regularly scored and benchmarked against their industry peers by an independent third party. At the portfolio level, these evaluations are combined with other key business metrics to provide an overall threat assessment that is leveraged for data-driven decision-making.

Protecting Critical Assets

Occasionally, cyber incidents still occur despite the measures in place to prevent them. We partner with leading insurance carriers to provide our portfolio companies with best-in-class cyber policies and resources to respond and recover. We recognize that the ability to quickly restore business operations and minimize the impact of critical exfiltration are important attributes of a successful cyber-attack response. We work closely with companies to ensure that effective business continuity plans and data protection programs are in place. Our experience with cyber threats has also taught us that education is key in the ability to effectively respond to and mitigate the harmful effects of a cyber incident. To ensure an effective and coordinated response to cyber incidents, we provide training and support resources tailored to our technical, financial, and operational portfolio company leaders.

Implementing Ongoing Improvement

We do not view cybersecurity as a one-time exercise and recognize that cyber threats will increase in frequency and complexity. To meet these challenges, we have established a program for continuous improvement anchored by an interconnected community of portfolio company cybersecurity professionals. Resources available through our program include leveraged agreements with providers of security products and services, expert-led webinars on critical cyber issues, playbooks and standardized guidance for cybersecurity strategy and architecture, a collaboration platform for cybersecurity professionals, and an in-house intelligence function for soliciting and sharing best practices. Our offering in this area continues to grow guided by cyber experts from leading advisors and direct feedback from the portfolio companies combatting threats daily.

Read more about Our Approach to Impact in our 2021 Impact Review