To the extent you are managing risk at your firm, are you managing the risks at your underlying investments. The SEC has been asking about this topic in exams.
The most obvious area is cybersecurity. Many of those requirements are not dependent on the company, so cybersecurity compliance carries over.
Compliance can create value to the portfolio by helping them navigate cybersecurity risk. With that risk monitored and a compliance program in place, the portfolio company may be more valuable to future buyers.
The challenge is that many private fund CCOs barely have (or don’t have) the knowledge/background to fully tackle cybersecurity risk.
There is also the problem of portfolio company liability being passed up to the fund if there is a cybersecurity problem. The fund manager could be blamed for the problem instead of the portfolio company. It’s hard to make that go away. The key would not be scaling back the cyber program. You are probably better off showing that you increased the effectiveness of the cyber program even if it was not enough to prevent the problem.
(This session was subject to the Chatham House Rule so I have not identified the participants and have not attributed any of the statements to anyone.)
