As private equity firms and their portfolio companies continue to pursue record-setting growth, they also face mounting pressure to deliver investor returns and competitive value. In this heightened atmosphere, unique responsibilities and wide-ranging liability challenges abound, from cyber threats to increased compliance. That’s why it’s essential for private equity firms to identify and closely monitor the many strategic, operational, and external risks that can potentially impact them. Here, we outline six of the most pressing issues that should be part of an effective risk-management framework for every private equity firm.
1. Consumer privacy protection
With the California Consumer Privacy Act (CCPA) taking effect Jan. 1, 2020, private equity firms are rushing to prepare for the heightened compliance that the new law requires. The regulations call for both firms and their portfolio companies to more broadly protect consumer information by:
- Disclosing the collection of personal information and how it is used;
- Giving consumers the choice to opt out of the sale and sharing of their information; and
- Informing consumers of the ability to request deletion of the data altogether.
And while the CCPA applies to for-profit firms that engage in business transactions in California, its impact may reach further because organizations also need to meet just one of the following measures to be required to comply:
- Have annual gross revenue of more than $25 million;
- Derive more than half of its revenue from selling personal information; and
- Collect, sell, and/or share the personal data of at least 50,000 California residents.
California’s law has already ushered in a fresh wave of privacy bills across the U.S., and privacy experts expect the CCPA will continue to heavily influence data protection practices nationwide. To stay on top of these evolving developments, private equity firms should review the types and uses of consumer information they collect, update privacy and notice policies if necessary, and ensure a viable process exists for responding to consumer requests about their data.
“Not only must private equity firms examine potential partners, acquisitions, and investors more closely, but also ensure that their portfolio companies adhere to regulatory requirements in ongoing operations.”
2. Compliance risks
The Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations is continuing to follow through on its previously announced top priorities for 2019 – and these include digital assets, cybersecurity, and matters of importance to retail investors (such as fees, expenses, and conflicts of interest).
This emphasis comes on the heels of the SEC’s establishment of a new private funds unit in 2016. As government oversight ramps up enforcement activities around private equity, compliance risks may multiply for firms and their holdings.
For private equity management, this tougher oversight should trigger:
- A deeper focus on due diligence and documentation;
- A culture of compliance with management-led training; and
- A value assessment of appointing and supporting a chief compliance officer.
Bottom line: Not only must private equity firms examine potential partners, acquisitions, and investors more closely, but they should also ensure that their portfolio companies adhere to regulatory requirements in ongoing operations.
3. Fraud and misconduct risks
Unfortunately, every organization is vulnerable to fraud and misconduct. And there’s fresh evidence that these risks are intensifying rapidly. According to PwC’s latest Global Economic Crime and Fraud Survey, a record 53% of U.S. companies were victimized by fraud in the previous 24 months. On top of that, 31% of organizations were asked to pay a bribe. And 37% of companies reported losses from fraud in 2018 of more than $1 million.
By their very nature and characteristics of the business, however, private equity firms are particularly susceptible to risks of corporate misconduct and fraud. A recent report by KPMG identifies these industry-specific reasons:
- Involvement in complex transactions;
- Lean operating structures;
- Intense competition for portfolio company investments;
- Extensive involvement with third-party intermediaries;
- Lack of transparency; and
- Rising trend of investor activism.
To mitigate exposure to these inherent risks, private equity firms must adopt a strategy grounded in the three lines of defense: prevention, detection and monitoring, and response.
4. Crisis management
Crises can happen at any time to any company, of course – resulting from cybercrime, fraud, natural disaster, safety, or supply chain, to name a few. For private equity firms, the ability to recover quickly – and restore public and investor confidence – is crucial, given the speed with which information (good or bad) travels today.
To ensure a crisis-management plan that works, manage risks and consequences by:
- Developing and periodically refreshing a comprehensive response plan;
- Testing and simulating to review and revise as necessary; and
- Applying the plan at the portfolio company level as well.
Taking the time to analyze the potential impacts of such events will help determine additional ways or insurance products that can protect – and shift the burden of – reputational risk. For example, crisis management insurance will cover the emergency use of public relations teams to mitigate damage to a brand’s reputation following a public incident.
5. Third-party oversight
As private equity firms continue to broaden outsourcing efforts and leverage critical third-party relationships, the scope of potential risk rises in tandem. Acknowledging the trend, regulators have made it clear that outsourcing an activity or function doesn’t relieve firms of their ultimate responsibility for compliance. They must actively oversee these relationships – or be liable for intentional or inadvertent wrongful acts of their third-party business partners.
An effective and formalized due diligence program of monitoring performance and reviewing value of all partners can help ensure quick detection of possible problems. And for ongoing third-party risk management, take the following steps into consideration:
- Define the scope of risks involved;
- Determine a timeline for third-party monitoring and reporting;
- Review compliance history and conduct internal audits; and
- Keep documentation of the due diligence process and results.
“For private equity firms, the ability to recover quickly from a crisis event – and restore public and investor confidence – is crucial, given the speed with which information travels today.”
6. Cyber and technology risks
While all companies are exposed to cyber threats, private equity firms face a wider array of cyber risks from both internal and external sources, in large part due to ownership in a diverse set of portfolio companies. These sources can include:
- Third parties engaged by the firm; or
- Other players on the outside that may share management responsibilities with the firm.
Moreover, because private equity backers are investing in a business’s future growth, objectives are often focused on swiftly leveraging strengths and efficiently targeting returns. The problem? A heavy focus on financial growth and productivity can come at the expense of cyber-risk management and control. Inconsistencies in the application of security across the firm – such as within infrastructure and systems – may lead to unintended exposures. To address the risk, it’s critical to develop a consistent set of mandated security controls throughout the firm and its portfolio companies.
In addition, managing risk within a company’s entire technology footprint will become more challenging as a private equity firm expands. That means an ever-growing list of potential risks related to:
- Cloud-based software;
- Identity and access;
- Intellectual property safeguards; and
- Investor information protection.
Discovering dedicated private equity protection solutions
Integrating key insurance coverage can help transfer and mitigate potential risks that private equity firms may face. Liberty Mutual Insurance understands the pressures and requirements of private equity and has the experience, coverages, and resources to meet your firm’s unique needs and risks. Learn more about our private equity capabilities here.
This website is general in nature, and is provided as a courtesy to you. Information is accurate to the best of Liberty Mutual’s knowledge, but companies and individuals should not rely on it to prevent and mitigate all risks as an explanation of coverage or benefits under an insurance policy. Consult your professional advisor regarding your particular facts and circumstance. By citing external authorities or linking to other websites, Liberty Mutual is not endorsing them.