Don’t acquire the threat: cyber due diligence for private equity
This article was first published in January 2019 on CVCA Central.
In today’s ever-evolving technological landscape, cybersecurity threats and incidents are frequently the subject of front-page articles and board discussions. It seems there is no shortage of organizations being held ransom by hackers demanding bitcoin or informing their customers that their private information is no longer quite as private; unsurprisingly, these incidents are often followed by significant losses following breach disclosure in the form of fines, brand or image damage, ransom payments, downtime, and lost customers.
Considering all these cyber risks, how can private equity firms confidently invest their capital knowing they will not sustain a massive loss, both financially and/or from a reputational perspective, at the hands of a cyber-incident? While there is no silver bullet with regards to cybersecurity, integrating cybersecurity diligence into the deal process helps private equity firms understand the cyber risk inherent in a particular investment, and gives them an opportunity to mitigate, transfer, insure against, and negotiate purchase price adjustments to accommodate that risk.
Why not just get insurance and skip cyber-diligence altogether?
In most cases, cyber insurance policies have security control requirements to help protect the insured organization; in the event an organization does not have the required controls and there is a cyber-incident, the claim will likely be denied. Cyber-diligence helps organizations understand their control gaps and put together a strategy of remediation and risk transfer (through insurance and other covenants) that aligns with the investment thesis and private equity group’s risk tolerance.
If you were going to buy a car without airbags, seatbelts, and antilock brakes, you would want to know
The same goes for purchasing a portfolio company. If you are buying a portfolio company that lacks the basic safeguards to prevent a catastrophic cyber-incident, you want to know before you close the deal.
Cybersecurity diligence covers logical and technical aspects of cyber risk including security governance, sensitive data management, identity and access management, security architecture, and incident response practices. Diligence in each of these areas provides crucial insights that directly relate to potential security threats and regulatory requirements that put organizations at risk; each of the below areas provides buyers with the information they need to make a truly informed purchase decision and helps them avoid inheriting potentially debilitating cyber risk.
In today’s environment, people are one of the largest attack vectors for hackers and malicious actors. Attacks take the form of phishing, including personalized attacks to the victim (known as spear phishing), and social engineering, all of which can quickly provide a launchpad for malicious actors to gain access to the organization’s environment. Diligence around security governance helps ensure that a target organization has the proper policies, procedures, and practices in place to minimize the risk posed by these threats and provide a framework for validating risk mitigation on a consistent basis. This includes evaluating the policies and procedures against leading practices, validating their security awareness training and compliance testing practices, and reconciling the security governance in place against requirements of applicable regulations (PIPEDA, GDPR, ITAR, etc.). In doing so, security governance diligence helps buyers understand whether an organization is at increased risk of fines due to non-compliance.
Sensitive data management
The evaluation of how an organization classifies, manages, and safeguards its most sensitive data is another important due diligence area. This includes understanding what sensitive data an organization captures (e.g. personally identifiable information, credit card numbers, health records, etc.), investigating how they are using the information, and evaluating the controls and security measures in place around the sensitive data. Diligence around sensitive data management helps ensure that a target organization is taking appropriate steps to minimize the risk of a data breach, and the fines and brand damage that often come with it.
Identity and access management
Compromised passwords and account information is a common cause of cyber-incidents. Identity and access management focuses on ensuring that an organization is properly managing users’ identities (e.g. user accounts) and effectively uses those identities to provide access to the organizational resources the individual needs. Diligence in this area helps assess if an organization is taking appropriate steps to minimize the risk of account compromise, improper access to organizational resources, and vulnerable passwords.
These diligence efforts focus on the technical aspects of a target’s IT environment, such as ensuring that the environment is built and maintained in alignment with leading security practices. This is a fundamental area of review that helps a buyer understand the inherent risk in the IT environment they are about to inherit, and what is required to remedy the major ’red flag’ issues.
Due diligence in this area focuses on validating that an organization has the proper procedures in place to respond to potential and confirmed security incidents in an effective manner. Effective incident response is instrumental in containing the damage in the event of a cybersecurity incident; while failure to effectively respond to an incident often results in widespread damage, larger fines, and a costlier recovery.
As financial, tax and legal due diligence have become standard operating procedures for private equity firms prior to closing a transaction, so should cybersecurity diligence. Cyber due diligence helps private equity firms take stock of the potential cybersecurity risk of an acquisition, as well as the time, effort, and cost to adequately address risk areas. In this increasingly complex world where the data collected and maintained by companies on its customers, suppliers and processes are core to their business practices, ensuring protection of this valuable asset should be a key focus of private equity firms when reviewing transaction opportunities.