Why Private Equity Firms should make cybersecurity diligence as important as “quality of earnings” for New Acquisitions
Cybersecurity is a top concern for businesses of all sizes, and private equity (PE) firms are no exception. In fact, PE firms are increasingly targeted by cyberattacks, as they typically hold a wealth of sensitive information, including financial data, customer information, and intellectual property. At Quadrant, we’ve become increasingly focused on helping PE firms secure their organizations and the IT environments of the companies they own.
We’ve observed a recent uptick in so-called “supply chain hacks,” with attackers targeting third-party vendors that supply critical technology components, gaining access to the target organizations’ systems and data. Notable examples of these supply chain attacks include the headline-grabbing SolarWinds and Kaseya breaches. In a way, private equity firms are the ultimate “supply chain” target, because they tend to have sensitive data and access to the portfolio companies they own, and they tend to have deep pockets.
Indeed, a recent study by the Ponemon Institute found that the average cost of a data breach for a financial services firm was nearly $6 million in 2022. This is significantly higher than the average cost of a data breach for other businesses, which is $4.35 million. It’s clear that even well-protected PE firms are an enticing target for enterprising cyber hackers looking to make a quick buck.
A Uniquely Good Target to Attack
PE firms are often harder to protect than the typical organization. With many employees working remotely, it’s difficult to keep track of who has access to sensitive information and how they are using it. Middle-market PE firms, which comprise the majority of the market, often invest in companies that have been bootstrapped and have not had the IT security budget or expertise to build the necessary internal security controls.
To protect themselves and their portfolio companies from cyberattacks, PE firms need to focus on cybersecurity during the diligence process when they are evaluating potential acquisitions. A data breach or ransomware attack could have a significant impact on the value of the acquisition, and could also damage the reputation of the firm.
Here are a few tips that PE firms can utilize to assess risk of a potential acquisition during due diligence:
- Ask the target company – both IT team and leadership – about current cybersecurity policies and procedures and review those controls. When we conduct IT/cybersecurity due diligence on behalf of a firm, we typically complete gap assessment against the NIST controls.
- Review the target company’s insurance policies, including specific cyber insurance if the company pays for it. We often find that insurance policies have lapsed, or that there is a gap in the target company’s security policies.
- Conduct an open-source threat analysis, including a sweep of the Dark Web to look for compromised employee credentials and other potential threats. We’re often shocked at what’s out there – which in rare cases, reveals an active cyber breach – but more frequently can inform post-acquisition remediation recommendations.
- Review the target company's security logs to see if there have been any recent breaches. As a company that specializes in security monitoring and log analysis, we typically recommend this for all diligence processes, assuming the logs are accessible.
- Evaluate the target company's incident response plan. In the event of a cyber-attack, a well-designed incident response plan can help mitigate the damage and limit the impact on the business. We often help PE firms put an effective plan in place and then make sure it’s tested and updated regularly.
- If applicable, we evaluate the target company's compliance with industry regulations and standards. Depending on the industry, businesses may be required to comply with certain cybersecurity regulations such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), or the General Data Protection Regulation (GDPR).
We also occasionally conduct penetration tests of the target company's systems to identify any vulnerabilities. We don’t always do this during the diligence phase, as it’s an extremely involved deep-dive process, and sometimes deal teams do not have time – but we often recommend this as a critical “next step” on the post-acquisition roadmap.
It’s important to recognize that not every vulnerability or cyber risk can be remediated before a deal closes – and unless diligence reveals an active breach at the target company, rarely is a risk so severe that we recommend a buyer not complete the planned acquisition. Typically, the most critical output of IT/cybersecurity diligence is the creation of a roadmap or timeline of investment for hardening IT security, remediating vulnerabilities, and filling any gaps.
By conducting a thorough cybersecurity due diligence process, PE firms can help mitigate the risks of a data breach or other cybersecurity incident. This will help protect the value of the acquisition and the reputation of the private equity firm.
To learn more about conducting IT/cybersecurity diligence for your potential investments, contact Quadrant for next steps.