PE Firms: Considerations for Addressing Fraud at Portfolio Companies
June 21, 2021
By Mark Brown
Private equity (“PE”) firms managed to weather the storm of economic uncertainty in 2020—with a 6% increase in exit value across 952 exits. However, the pressure to deploy capital and create value continues to grow as firms face unprecedented challenges, including the potential liability for fraud at portfolio companies and the increasing threat of cyberattacks.
Liability for Fraud at Portfolio Companies
An ongoing lawsuit in Massachusetts provides another example of PE firms no longer being shielded from fraud committed at a portfolio company. In U.S. ex rel. Martino-Fleming v. S. Bay Mental Health Centers (D. Mass.), the PE firm defendant was denied a motion for summary judgment in a False Claims Act matter in which it was argued that a PE firm can be held responsible for fraud because it had sufficient awareness of regulatory non-compliance and permitted allegedly false claims to be submitted, despite being in a position to put to an end to the practice (since it had seats on the board).
Cyberattacks on the Rise
PE-owned companies continue to be a popular target for cybercriminals due to their deep pockets and strong aversion to bad publicity. Overall, we continue to see cybercrime on the rise; ransomware attacks increased by 171% in 2020, to more than $300k per attack, with experts expecting that trend to continue.
How PE Firms Can Respond
If a PE firm has a controlling interest in a portfolio company, there are several steps it can take to help prevent and more easily detect fraud:
- Perform periodic risk assessments (fraud, cyber, data privacy).
- Formalize the compliance program by defining roles and responsibilities as well as documenting policies, procedures and controls.
- Ensure that management’s tone frequently and consistently reinforces integrity and that employees are encouraged to speak up about pressures and performance goals.
- Implement and periodically test anti-fraud internal controls, addressing:
- Use of authorizations, proper separation of duties.
- Payments, with a focus on rules regarding multi-factor authentication and verbal confirmations.
- Third-party risk management (vendor due diligence and ongoing monitoring, vendor add, periodic review of vendor master list).
- Payroll (add, changes and periodic review).
- New employee screening (background checks, education verification).
- Incident reporting mechanisms (awareness, anonymity, independence, non-retaliation).
- Implement ongoing compliance monitoring and process evaluation to test program effectiveness.
- Implement ongoing monitoring of IT security, including periodic phishing simulations and dark web scanning.
- Perform periodic fraud and cyber awareness training (targeted audience, provide relevant examples).
By enhancing compliance programs to address fraud, cyber and other regulatory risks, PE firms can mitigate risk by making themselves less-attractive targets to bad actors. y enhancing compliance programs to address fraud, cyber and other regulatory risks, PE firms can mitigate risk by making themselves less-attractive targets to bad actors.
 Civil Action No. 15-cv-13065-PBS 05-19-2021