As private equity firms and their portfolio companies continue to perform well, they also face mounting pressure to deliver investor returns and competitive value. In this heightened atmosphere, unique responsibilities and wide-ranging liability challenges abound, from cyber threats to increased compliance. That’s why it’s essential for private equity firms to identify and closely monitor the many strategic, operational, and external risks that can potentially impact them. Here, we outline six issues that should be part of the risk-management framework for a private equity firm.
1. Consumer privacy protection
Under the California Consumer Privacy Act (CCPA), private equity firms must prepare for the heightened compliance that the law requires. The regulations call for both firms and their portfolio companies to protect consumer information more broadly by:
- Disclosing the collection of personal information and how it is used
- Giving consumers the choice to opt out of the sale and sharing of their information
- Informing consumers of the ability to request deletion of the data altogether
And while the CCPA applies to for-profit firms that engage in business transactions in California, its impact may reach further because organizations also need to meet just one of the following measures to be required to comply:
- Have annual gross revenue of more than $25 million
- Derive more than half of its revenue from selling personal information
- Collect, sell, and/or share the personal data of at least 50,000 California residents
California’s law has ushered in a fresh wave of privacy bills across the U.S., and privacy experts expect the CCPA will continue to influence data protection practices nationwide. To stay on top of these evolving developments, private equity firms should review the types and uses of consumer information they collect, update privacy and notice policies if necessary, and ensure a viable process exists for responding to consumer requests about their data.
2. Compliance risks
The Securities and Exchange Commission’s (SEC) Division of Examinations is continuing to follow through on its previously announced top priorities for 2021, including a greater focus on climate and environmental, social, and governance (ESG) related risks, business continuity, and disaster recovery plans, and the fiduciary responsibilities of retail investors.
This emphasis comes on the heels of the SEC’s establishment of a private funds unit back in 2016. As government oversight ramps up enforcement activities around private equity, compliance risks may multiply for firms and their holdings.
For private equity management, this tougher oversight should trigger:
- A deeper focus on due diligence and documentation
- A culture of compliance with management-led training
- A value assessment of appointing and supporting a chief compliance officer
Bottom line: not only must private equity firms examine potential partners, acquisitions, and investors more closely, but they should also ensure that their portfolio companies adhere to regulatory requirements in ongoing operations.
3. Fraud and misconduct risks
Unfortunately, every organization is vulnerable to fraud and misconduct. And there’s fresh evidence that these risks are intensifying rapidly. According to PwC’s latest Global Economic Crime and Fraud Survey, 47 percent of U.S. companies were victimized by fraud in the previous 24 months, with the most common types being customer fraud, cybercrime, and asset misappropriation. The costs of these reported crimes totaled $42 billion.
By their very nature and characteristics of the business, however, private equity firms are particularly susceptible to risks of corporate misconduct and fraud. A report by KPMG identifies these industry-specific reasons:
- Involvement in complex transactions
- Lean operating structures
- Intense competition for portfolio company investments
- Extensive involvement with third-party intermediaries
- Lack of transparency
- Rising trend of investor activism
To mitigate exposure to these inherent risks, private equity firms must adopt a strategy grounded in the three lines of defense: prevention, detection and monitoring, and response.
4. Crisis management
Crises can happen at any time to any company, of course – resulting from cybercrime, fraud, natural disaster, safety, or supply chain, to name a few. For private equity firms, the ability to recover quickly – and restore public and investor confidence – is crucial, given the speed with which information (good or bad) travels today.
To ensure a crisis-management plan that works, manage risks and consequences by:
- Developing and periodically refreshing a comprehensive response plan
- Testing and simulating to review and revise as necessary
- Applying the plan at the portfolio company level as well
Taking the time to analyze the potential impacts of such events will help determine additional ways or insurance products that can help protect – and shift the burden of – reputational risk. For example, crisis-management insurance will cover the emergency use of public relations teams to mitigate damage to a brand’s reputation following a public incident.
5. Third-party oversight
As private equity firms continue to broaden outsourcing efforts and leverage critical third-party relationships, the scope of potential risk rises in tandem. Acknowledging the trend, regulators have made it clear that outsourcing an activity or function doesn’t relieve firms of their ultimate responsibility for compliance. They must actively oversee these relationships – or be liable for intentional or inadvertent wrongful acts of their third-party business partners.
An effective and formalized due diligence program of monitoring performance and reviewing value of all partners can help ensure quick detection of possible problems. And for ongoing third-party risk management, take the following steps into consideration:
- Define the scope of risks involved
- Determine a timeline for third-party monitoring and reporting
- Review compliance history and conduct internal audits
- Keep documentation of the due diligence process and results
6. Cyber and technology risks
While all companies are exposed to cyber threats, private equity firms face a wider array of cyber risks from both internal and external sources, in large part due to ownership in a diverse set of portfolio companies. These sources can include:
- Third parties engaged by the firm
- Other players on the outside that may share management responsibilities with the firm
Moreover, because private equity backers are investing in a business’s future growth, objectives are often focused on swiftly leveraging strengths and efficiently targeting returns. The problem? A heavy focus on financial growth and productivity can come at the expense of cyber-risk management and control. Inconsistencies in the application of security across the firm – such as within infrastructure and systems – may lead to unintended exposures. To address the risk, it’s critical to develop a consistent set of mandated security controls throughout the firm and its portfolio companies.
In addition, managing risk within a company’s entire technology footprint will become more challenging as a private equity firm expands. That means an ever-growing list of potential risks related to:
- Cloud-based software
- Identity and access
- Intellectual property safeguards
- Investor information protection
Discover dedicated private equity protection solutions
Integrating key insurance coverage can help transfer and mitigate potential risks that private equity firms may face. Liberty Mutual Insurance understands the pressures and requirements of private equity and has the experience, coverages, and resources to meet your firm’s unique needs and risks. Learn more about our private equity capabilities here.
This website is general in nature, and is provided as a courtesy to you. Information is accurate to the best of Liberty Mutual’s knowledge, but companies and individuals should not rely on it to prevent and mitigate all risks as an explanation of coverage or benefits under an insurance policy. Consult your professional advisor regarding your particular facts and circumstance. By citing external authorities or linking to other websites, Liberty Mutual is not endorsing them.