5 ways PE firms can protect against transaction-related cyberattacks
Cyberattacks have been rapidly increasing in size and scope, and PE firms need to take steps to defend themselves and their portfolio companies. Cybercriminals are not just focusing on mega-cap companies anymore; they are now turning their attention to private equity due to the significant amount of money that orbits this universe.
Soon after a PE firm announces a deal, the bad actor community takes note. Cybercriminals may track companies that receive PE funding, because they know these companies now have more capital behind them. They also know many of these companies may not have sophisticated IT and security solutions to prevent or detect an attack.
In fact, we’ve seen a significant increase in attacks on portfolio companies directly following the announcement of a PE deal – even a small deal including add-ons to an existing platform. Bad actors will hit a company and, if they’re successful, will then move through the portfolio, on the assumption that if Company A wasn’t well protected, then Companies B, C, and D probably aren’t either.
Hackers may encrypt the entire network and bring operations to a screeching halt if the portfolio company doesn’t pay a hefty ransom. Or they may worm their way into the company’s IT systems and go after sensitive information and exfiltrate the data without being noticed.
Amid this increase in attacks, PE firms should take a close look at the security systems and processes of their target companies, as well as their existing portfolio companies. In particular, PE firms should ask serious questions about a company’s cybersecurity practices as part of their due diligence efforts. It’s increasingly important to know if a company can withstand an attack and, if not, what steps must be taken to strengthen security during the deal and immediately post-close.
Here are five ways PE firms can assess and address the cyber preparedness of prospective acquisitions (and help boost portfolio companies’ and overall firm security).
1. Start with cyber diligence.
PE firms would never do a deal without first performing accounting and financial due diligence. Neither should they close a deal without doing their cyber diligence. A cyber diligence assessment should examine risks and threats in the target company’s IT assets and the scope of damage that could occur in the event of a breach. It might include penetration testing to see what systems are susceptible to being hacked, as well as simulated phishing attacks to see if employees can be tricked into clicking malicious links, revealing their passwords or other sensitive information.
Cyber diligence might not always deliver complete assurance of the target company’s ability to defend itself against cyber threats, but can provide a reasonable understanding of the company’s current capabilities.
2. Make cyber preparedness part of the valuation process.
PE firms should now be quantifying the value of cyber preparedness. How is the target company currently monitoring threats? How is the company enforcing secure access to critical systems and company resources? What kind of response plan does it have in the event of a cyberattack? How quickly can the company recover if an attack disrupts its supply chain? The ability of the company to answer questions like these should impact the way a deal is structured and valued.
And, in case a target company does get hit by an attack, there should be a sum of money kept in escrow as an insurance policy, to defray at least some of the cost. IBM’s Cost of a Data Breach Report 2021 reported an average breach cost of $4.24 million, the highest average cost in the report’s 17-year history.
3. Require companies to fix high-risk issues.
Cyber preparedness is an area where PE firms must take an increasingly hard line. In the old days, the joke was that firms would do their IT diligence, but they knew a deal would never fall apart because of IT shortcomings. In the new digital economy, deals can, should, and do fall apart because of cyber risks.
PE firms should require that target companies remediate their highest-risk issues prior to closing a transaction. They should also request that target companies take on cyber insurance. Purchasing a comprehensive cyber insurance policy can help ensure survival when security fails and large capital expenditures are required to recover data and get the company back on track.
4. Put an accelerated roadmap in place.
PE firms focus on how to create value from Day 1. In the standard diligence process, they write a 100-day plan to guide new portfolio companies in making necessary improvements so they can hit the ground running. But in the case of cyber, a 100-day plan is not nearly fast enough. Because it’s not unusual for a company to get hit within days or weeks of announcing a PE investment, there simply is not the luxury of waiting 100 days to get up to speed on cyber.
This raises the interesting question of when to announce a deal. If a PE firm is buying a business with significant cyber risks, it should think seriously about holding off on the acquisition announcement until the target company has addressed those cyber weaknesses. In fact, it is not uncommon now for PE firms to hold off on announcing deals for several months, until they feel confident that an acquisition has suitably addressed its cyber issues.
5. Encourage both target and portfolio companies to implement a standard set of cyber technologies.
Smart PE firms are doing their own research on cyber solutions and then recommending that all their portfolio companies implement those solutions, which typically include vulnerability management, endpoint security, multi-factor authentication, backup and recovery, and more. This has several key benefits. For one, it enables a PE firm to negotiate a deal with cyber and IT vendors and get a volume discount.
Another key benefit is consistency across the entire security posture. If a PE firm is using the same set of solutions across its entire portfolio, it has a better idea of exactly what cyber risks to look for. There are also efficiencies to be gained, as PE firms can now get a holistic view of emerging cyber risks and incidents across its entire portfolio.
A few short years ago, very few PE firms were focused on cyber. Today, more firms have come to realize that cyber diligence is not a nice-to-have but a need-to-have, because it leads to fewer risks and greater returns.
Jeremy Swan, Managing Principal, Financial Sponsors & Financial Services Industry
Bhavesh Vadhani, Principal, National Leader, Cybersecurity, Technology Risk, and Privacy
The C-Suite Dashboard
Keep Your Business Moving Forward