Cybersecurity has become an increasingly regulated area of risk for many businesses in the digital world. As technology has advanced and cyber-attacks have become more sophisticated, the measures needed to protect business’ data from breaches become more extensive too. This is mirrored by an increased regulatory environment where sanctions are implemented more strictly and conservatively by regulators.
Businesses need to review their cybersecurity practices and consider the associated risks that come with holding different types of data. For example, commercial and financial data can be incredibly valuable to business operations, but can also cause significant disruption to business if compromised. Additionally, when processing personal data, there is an added risk of breaching data protection legislation and being subject to action, including significant fines, from data protection regulators as well as complaints from individuals.
As a result, it is unsurprising that the Wall Street Journal published an article recently noting that many private equity firms are increasing their focus on the cybersecurity practices of their portfolio companies, and the associated risks.
What are the risks?
High-profile data breaches such as the Marriott breach, for which a substantial fine of $23.8 million was issued in 2020, are clear examples of how costly inheriting problems in a company’s cybersecurity practices can be. By way of reminder, the breach took place in 2014 and related to a hotel guest database of the Starwood Brand, which was acquired by Marriott in 2016. The breach went undiscovered until two years after the acquisition and Marriott was left liable for the historic security vulnerabilities, that led to the high-profile regulatory fines.
Public regulatory action relating to a company’s cybersecurity failures can be incredibly costly, both in terms of customer trust, as well as financial penalties. Customers can be quick to lose trust in businesses that are publicly reprimanded for failing to protect their data, and data protection regulators have become increasingly focused on data breaches that relate to security practices.
In 2022, there were over 75 fines issued in the EU, the largest being €17 million, which cited insufficient technical and organisational measures to ensure data security as the issue of non-compliance.
What practical steps are private equity firms taking?
Many private equity firms are implementing a standardised approach to cybersecurity across their portfolios, which allows for some contextual variation for groups in certain industry sectors or geographies that may be seen as higher risk. Ensuring that corporate groups adhere to a uniform standard is a sensible tactic as it ensures a baseline standard of security and avoids the risk of a ‘weak link’ company creating a group-wide risk, especially where IT assets are shared. Uniformity also allows for any identified faults to be addressed time-efficiently and cost-effectively without the need for more bespoke forensic investigating into each entity.
In terms of portfolio management, private equity firms are implementing changes to ensure a minimum level of cybersecurity practices across their portfolio companies. The WSJ article notes that for some firms this includes consulting with virtual CISOs on a monthly basis to provide advice and to help portfolio companies test controls and create appropriate security policies and practices.
In terms of acquisitions, private equity firms are focusing on their assessment of cybersecurity measures during transactional due diligence processes, ensuring that any targets have robust technical and organisational measures in place that are appropriate to the business size and industry sector. Firms are investing more heavily in these preliminary diligence stages to protect against the risk of inheriting high-risk vulnerabilities that could lead to future, or historic, data breach liabilities.
Gone are the days of cybersecurity diligence being an optional part of the diligence process. Now diligence is likely to be one of the pillars of focus going beyond mere verification of the existence of internal policies and procedures to taking active measures including instructing third-party technical specialists to conduct penetration testing and network scanning on the businesses to test their cybersecurity defences.
Implementing more robust, and perhaps uniformed, security measures across portfolio companies may be a cost for private equity firms to bear in the short term. However, considering the risks of security failures and the additional value that attaches to robust cybersecurity practices when assessed at exit, it could turn out to be pennies spent now that make dollars later.
What can private equity targets do?
Businesses have now been warned about the risks of security failures, and poor practices could lose them investment, or even worse in the event of a breach, could cost businesses time, money, and reputation. The WSJ article notes that even small companies and start-ups are now expected to have some form of cybersecurity regime in place. Companies that are seeking private equity investment should review their cybersecurity practices to ensure that they are effective and appropriate to the size and operation of their business.
Any company considering external investment should consider reviewing their cybersecurity practices ahead of seeking such investment and be aware of the robust transactional due diligence processes in this area. Companies could consider testing their own controls by means of penetration and other security testing, ensuring that their security policies and procedures are up to date and that any remediation steps from previous incidents or vulnerabilities have been addressed.
We predict that cybersecurity will remain a key focus of risk across the private equity industry, as the risk of data breach and the associated costs remains ever-present in the modern world across all sectors and business types.
The personal data businesses hold can be a valuable asset, but failure to adequately protect it can be an expensive risk to take and the asset can swiftly become a liability. The approach being taken by private equity firms is one that all businesses should be taking note of.
Private-equity companies are taking a closer look at how their portfolio companies manage their cybersecurity, often before a deal is signed.