EY-Parthenon interviewed numerous clients to lay out the current private equity cyber threat risk and legal landscape and the role funds can play to push back against criminal disruption of their business model. There are lessons from several funds that have confronted cyber threats and can explain how they play a more active role in addressing them. Finally, we address how a mature, fund-led cyber program can not only reduce risk but increase a fund’s competitiveness and ability to innovate.
The current private equity cybersecurity threat landscape
The evolving tactics of cybercrime groups have made the cybersecurity issue a particularly prominent one for private equity. Here are just a few of the relevant data points showing the increased threat:
- A recent Federal Bureau of Investigation (FBI) bulletin warned the private sector that ransomware actors are highly likely to use significant financial events, including mergers and acquisitions, to target companies for reconnaissance and ransomware infections.¹ Given the high volume of acquisitions, mergers and divestments conducted by private equity, this is especially relevant.
- The Wall Street Journal reported in March 2022 that hackers had “begun to eye midsize companies...which had or are about to have a deep-pocketed owner like a private equity firm.”²
Threat actors understand that transactions can create confusion and distraction for both buyers and sellers, making companies going through M&A attractive targets for exploitation and extortion. Luke Dembosky, Partner and Co-chair of Data Strategy and Security at the law firm of Debevoise & Plimpton, specializes in incident response. He sees daily how threat actors are increasingly setting their sights on mid-market companies. Dembosky reports:
As many large organizations have upped their defenses and resiliency, organized cybercrime groups have focused their efforts on mid- and smaller-sized entities, including many private equity portfolio companies. With ransomware and other extortion schemes, for example, entities of this size tend to be prime targets because some, but certainly not all, have fewer protections or have gaps in their defenses, but they are still large enough to pay a sizable ransom.
Lucia Soares, Managing Director and CIO at The Carlyle Group, agrees: “The increased frequency and impact of cybercrimes have been the driving force behind our efforts to educate and advise portfolio companies on the threats and mitigation strategies businesses can consider reducing their cybersecurity risk and preserve the value of their technology investments.”
The legal landscape
The increased attacks by malicious actors against portfolio companies also come in the middle of a flurry of recent legislation and regulations with a number of wide-ranging effects:
- Expanded minimally acceptable security standards for businesses
- Increasingly rigorous and specific requirements for corporate boards to conduct oversight of company cyber programs
- Requirements that potential government contractors demonstrate more robust security if they hope to compete for both government and private sector business
Some recent examples:
- In August 2022, the New York Department of Financial Services (NYDFS) announced heightened expectations for companies it regulates, including more robust participation by boards, tighter control over privileged accounts and certifications of compliance by company CEOs (as opposed to just CISOs (chief information security officers)).
- In May 2022, the U.S. Securities and Exchange Commission (SEC) unveiled proposed rule changes which, among other things, would require corporate boards in publicly traded companies to disclose additional details about their role in managing cyber risk, including detailed disclosures about board expertise in cybersecurity matters, the way the board stays informed about cyber risks and the frequency of such discussions.
- In May 2021 and September 2022, President Joe Biden leveraged the vast purchasing power of the federal government in an executive order requiring vendors selling or licensing software to the government to show proof of substantially improved software security to be able to compete for federal contracts.
“Regulator and broader public expectations on corporate cybersecurity are rising fast,” says Dembosky. “Regulators have become much more sophisticated on these issues and know what questions to ask. They are holding senior management and boards accountable for the company’s cybersecurity program, starting with their direct involvement in understanding the cyber risks a company faces, the key information assets and how they are being protected, and the risk decisions that are being made.”
How to manage private equity cybersecurity strategy throughout the transaction lifecycle
Cybersecurity is relevant for private equity in four distinct phases of the ownership lifecycle:
- Due diligence: The increasingly short period when the fund considers acquiring a potential portfolio company
- Announcement and onboarding: A period of heightened cyber risk and an opportunity for private equity to establish the tone and nature of its relationship with the portfolio company’s management and security team
- Value creation: Typically, a three- to five-year period in which cyber risk can be systematically reduced
- Exit: When a clean breach record and enhanced cybersecurity can be an attractive selling point or when inadequate cybersecurity can turn into a pain point in the sale and be a source of value erosion
Although each private equity firm is different and summarizing best practices is difficult, lessons can be learned from funds that are pushing the envelope today, in four phases of the transaction lifecycle.
Phase 1: Private equity cybersecurity strategy in due diligence
Understanding cyber risk before purchasing a company is becoming table stakes in pre-acquisition diligence. Forbes reported in July 2022 that 65% of companies “experience regret in making an M&A deal due to cybersecurity concerns.”³ Litigation in US federal courts and regulatory investigations in Europe have made it clear that acquirers may be found negligent for failure to conduct proper diligence of their acquisition’s security posture and data privacy compliance.
According to Benjamin Eason, Managing Director of Cyber at Apollo Global Management, “Just as cyber programs are shifting, so is fund cyber risk management. It starts with doing consistent, quality diligence. Access to management is always limited so it is critical to efficiently cover” both the fundamentals of security inherent in any deal and leave time for the factors “unique to each deal and each business threat model.” Dembosky agrees:
Technology, related intellectual property, and data assets are increasingly the focus of M&A deals. This trend, coupled with escalating cybersecurity and data privacy risks, has made it incredibly important to drill down on these issues in due diligence. A simple set of written check-the-box diligence questions is often not enough anymore. The stakes are simply way too high in many deals to start to dig in on these points only after closing.
Where cyber diligence goes from here:
- Robust cyber diligence includes understanding technical and regulatory risk for each specific company’s business model, history of incidents, resources required to address known security gaps, the most important next steps required to reduce risk and the likely cost of these improvements.
- Within the realm of private equity, diligence is also an opportunity for funds to gather key performance indicators of an acquired company’s cyber program. Those indicators can then be tracked and improved throughout the ownership lifecycle.
- Technical testing during diligence can refine and improve insights. Rapid endpoint deployment protection, testing of custom code to understand security and open-source risk, and other measures are increasingly accepted as necessary either pre-sign or as soon as possible thereafter.
- Driving diligence findings into the company’s onboarding process can spur short-term action for both the fund and the portfolio company and can help achieve alignment on needed longer-term improvements.
Phase 2: Private equity cybersecurity strategy during announcement and portfolio company onboarding
After a deal is signed, there is an understandable tendency to focus attention away from cybersecurity. Deal professionals are often exhausted. Newly acquired portfolio companies need to turn their attention to preparing a business strategy that aligns with the expectations of their new owners. Funds often have no established processes or resources dedicated to helping to protect their investment during this period of increased risk. Yet the FBI and other sources tell us this is the precise time when some threat actors are more likely to pounce.
Where the announcement phase and portfolio company onboarding process are going from here.
Put simply, the transaction announcement and onboarding require swift action to mitigate threats. Some examples of actions that investment funds can take include:
- Conducting a number of short-term technical risk mitigation measures. These can include rapidly deploying advanced endpoint protection over the newly acquired company’s network, verifying that proper backups are protected and ready in the event of an incident, enabling multifactor authentication on critical systems and applications, educating employees about the increased risk, and stepping up phishing campaigns to keep employees alert.
- Setting the right expectations. Himanshu Udeshi, Managing Director (Digital) at TowerBrook Capital Partners, has already made cybersecurity a key focus. “Cybersecurity is built into the company charter created post-close,” he says. “Minutes and records are kept, [so] there is no getting out of it.”
- Offering fund-provided services. As funds become increasingly involved in protecting their portfolio, funds can be ready for incoming portfolio companies with a package of preprepared protective services. This also sets the right tone that the fund will work collaboratively with its portfolio companies.
- Stitching together available information to drive a solid and realistic plan. During the post-sign and post-close periods, leaders’ diligence observations “must get out of the reports and spreadsheets and onto the agenda,” according to Eason.
Phase 3: Private equity cybersecurity strategy in the value creation period
During the typical three- to five-year portfolio company holding period, many funds have struggled with what they can and should be doing about cybersecurity for their portfolio companies. Funds have had to balance a traditional hands-off approach to managing company operations, with the increasing impact of cyber attacks.
Fund-level efforts that have emerged over the past several years include:
- Designating a single point of contact at the fund to be responsible for cybersecurity. This role is increasingly filled by a cyber-specialist such as a former chief information security officer or another experienced professional
- Using available data to identify security weaknesses and vulnerabilities, with follow-up to verify that portfolio companies address issues
- Building information-sharing communities among portfolio companies to share threats and best practices
- Providing threat intelligence to portfolio companies
As the damage from cybercrime continues to increase, PE investors and portfolio companies are at an inflection point and need to think even more about cybersecurity during the value creation period.
Where the value creation period is headed from here
PE funds can create a more robust approach to protect their investments with a number of cybersecurity tools. “Most [private equity leaders] are still rapidly iterating on their approach. As companies mature and threats evolve, these programs will too. I expect significant changes to this part of the industry over the next five years,” says Eason at Apollo.
The most effective programs can drive change by focusing on a fund’s unique position relative to its portfolio companies, rather than stepping in and trying to be overly prescriptive or only offering tactical assistance when crises arise.
Here are some fund actions that have been tremendously impactful:
- Find the right talent. Funds can play a major role here. According to Soares, “Perhaps the most important [element of a successful program] is finding the right talent. In our experience, providing advice, tools and resources is not sufficient unless the right leader is in place to drive execution and transform the company culture to one that understands and manages its cyber risk effectively.”
- Use diagnostic tools and accelerators. With an appropriate technology-enabled platform, an advisory team can collaboratively assemble data across the portfolio to understand and resolve common pain points across companies, track cybersecurity projects to completion, identify opportunities for synergies, define and track security metrics, and increase communication among all the relevant stakeholders.
- Harness the fund’s visibility into all portfolio companies to drive data-driven insights. “Data and analytics have a key role to play in how fund involvement evolves next. Because fund investors have the unique ability to compare benchmarks, trends, risks, etc., I believe funds will use this data to help individual companies learn faster and deploy best practices more easily to decrease cybersecurity risk,” says Soares. Udeshi agrees: “Funds have traditionally not had the right information about their portfolio companies’ cyber programs. Funds can use more in-depth assessments to take their program to the next level.”
- Enlist the support of insurance brokers. They can help analyze portfolio companies’ ability to renew insurance coverage, obtain the right amount of coverage and pay competitive rates for insurance.
- Establish a culture of accountability and enable the relevant players to perform their roles. Funds recognize that education of portfolio company board members is an essential component of the solution. Proper board education will also reduce compliance risk as regulatory expectations of board members continue to rise. “Board members are measured on their ability to ensure that the company charter is satisfied, including the cybersecurity components,” says Udeshi at Towerbrook.
- Set clear, specific, attainable best practices for portfolio companies. One fund that implemented such a program defines a set of specific controls and best practices that new portfolio companies are expected to meet within a reasonable period of time. This fund has a multiyear plan to raise the minimum cybersecurity controls, to keep pace with the changing threat and regulatory landscape, and to create a culture of continuous improvement. This helps portfolio companies, which often lack a dedicated cybersecurity team, to understand where to focus their energies.
- Drive economies of scale. Far-sighted vendors see the opportunity to pair with funds by extending substantial, single-entity discounts, rather than treating portfolio companies as disparate entities. While there are complexities in contracting and invoicing, the potential upside is clear. Funds and portfolio companies win by obtaining higher-quality security services at cheaper prices, and vendors gain reliable business with less marketing effort as a trusted solution across the portfolio.
Setting expectations on cybersecurity liabilities and costs:
- Liability. Some funds worry that getting too involved in the portfolio company’s cybersecurity could increase risk to the fund itself. But this risk should not become the tail that wags the dog. While firms are understandably wary about dictating a company’s cyber program, “that doesn’t mean they cannot make ample cyber-related resources available to them and press them to make good choices,” Dembosky says. Fund leaders like Soares find that expectations can be set without overly prescriptive mandates. “Given how unique each portfolio company is, mandating projects or specific initiatives could be counterproductive. We set clear expectations that cybersecurity risk be assessed, discussed, and monitored like any other risk or regulatory requirement.”
- Funding. While some funds have struggled with how to pay for fund-level cybersecurity staff and resources, others are finding creative ways to avoid incurring the expense. For example, one fund embeds the expense of its cyber program within the management fees that portfolio companies pay to the fund. This sped development of the fund’s cybersecurity program and reduced resistance to invoices for portfolio services. The approach also incentivized the portfolio companies to take advantage of fund-level services, since the companies had already contributed resources to the program.
Phase 4: Private equity cybersecurity strategy and exit readiness
As discussed, cyber diligence is increasingly table stakes for buyers in mergers and acquisitions. Yet surprisingly, cybersecurity is often overlooked when companies prepare for exit readiness. This increases the risk that cybersecurity becomes a factor in a deal falling apart or being delayed. Addressing cybersecurity is critical for sellers as buyers and investors continue to demand assurance about the cyber risks they may face. In the Forbes article previously cited, the head of the Information Security Forum predicts that by 2025, cybersecurity will be “a primary deciding factor” in M&A due diligence.
Where exit readiness is going from here: Funds must be prepared to prevent value erosion when it is time for exit. If there is a robust and thoughtful investment in cyber during the value creation period, then there will already be successes and data available to show that risk has been lowered.
Getting ready for exit involves preparing portfolio company security teams for serious scrutiny during the stressful M&A process so they can present a coherent narrative to potential buyers about program strengths, improvements, gaps and future plans. This can lower the risk that cyber becomes a sticking point between the parties during negotiations.
Viewing the challenge in four distinct phases — due diligence, announcement and onboarding, value creation, and exit — is helpful for decision-makers to understand and respond appropriately.