Return to search

Cyber-risk due diligence for PE firms: the hows and whys

Steve Lancaster, chief executive of consultancy CYSIAM, makes the case for cyber-risk evaluations on acquisition targets, and explains how to do them.

The ever-evolving cyber threat presents real and growing risks to organizations. Evaluation and management of these risks needs to be a fundamental part of the due diligence process in M&A activity. If companies do not fully understand and manage the vulnerabilities presented by their use of technology, the private equity investors who fund these businesses must. It’s not just the impact that a cyber-related breach can have on the value of an investment or the company’s reputation; it will also trigger questions from LPs about a private equity firm’s approach to managing cyber-risks across the rest of the portfolio.

Cybersecurity checklist

As a minimum for every investment, acquirers should:

– Conduct vulnerability scanning of the target’s external access points, internal networks, web-facing applications and critical assets

– Review relevant policies and evidence of implementation

– Conduct compliance checks against legal and common framework requirements

– Review key customer and supplier contracts and their technical access to the target

While private equity firms by and large recognize these issues and are increasingly incorporating cybersecurity as part of due diligence, the approach and level of sophistication varies considerably. In many cases, firms will seek evidence of information security standards such as ISO 27001, Cyber Essentials or GDPR compliance. The catch is that these standards don’t necessarily provide the level of assurance a private equity firm should be looking for in the acquisition process.

For instance, a company may have the ISO standard, but it may only apply to a particular unit within the business and may not reflect recent updates to the company’s technology stack. Even in combination, the varying standards alone cannot provide assurances about a company’s approach to cybersecurity. A “tick-box” approach simply isn’t sufficient for M&A due diligence.

To fully understand a firm’s cyber-risk profile requires a broader approach, and technology is only part of the picture. Typically, a company’s cyber-risk lies in four areas: technology, people, functional processes and the supply chain. And each of these areas should be addressed as part of the due diligence process.

As a starting point, firms should look to satisfactorily answer the following questions:

  • Has the target already been breached and/or is it vulnerable to attack?
  • Does the target recognize the consequences, and mitigate the risk, of cyberattacks?
  • Is there a risk of the target incurring legal penalties or prosecution as the result of a cyberattack?
  • Is the target contractually liable for any third-party cybersecurity risks?

Private equity firms are often reluctant to request technical access to a company’s systems as part of due diligence, but the industry needs to get over this hurdle to ensure the right level of scrutiny can be applied. The vast majority of potential issues can, for the most part, be discovered with a vulnerability scan. This will also help inform an understanding of both the current threat environment and the organization’s mitigating policies and processes.

Steve Lancaster

While cybersecurity assessments have become a “must-have” part of due diligence, the risk doesn’t end there. This is why these efforts should be incorporated throughout the lifecycle of portfolio-company management and reflected in the roles and responsibilities of operating partners. Ongoing management of cyber-risks can help preserve and even create value in the long term. Being able to demonstrate compliance and continuous improvement, particularly when integrating add-ons as part of a buy-and-build strategy, can help avoid pitfalls further down the line. And when it comes to exiting the investment, being able to demonstrate best practices around cybersecurity will minimize liabilities and reduce exposure to the risk of a broken sales process.

In addition, companies that can demonstrate a proactive and robust approach to cybersecurity are using it to their advantage when bidding for competitive tenders. Business leaders throughout the supply chain also recognize poor cybersecurity and see it as a risk they would want to avoid when all else is equal. Companies that can give assurances on this front, as a result, are able to differentiate their products or services from competitors, particularly in sectors where large amounts of sensitive data are being gathered and processed. Private equity firms that can enhance their portfolio companies’ cybersecurity capabilities may also be enhancing their growth potential.

Any cybersecurity strategy should be appropriate for the circumstances and reflect potential worst-case scenarios of a breach. In most cases, it should not cost a small fortune, and just doing the basics well should be enough. Of course, 100 percent guarantees do not exist when it comes to cybersecurity due to the constantly evolving global threat. However, firms that can instill cybersecurity best practices across their portfolio have the potential to not only protect the value and reputations of their investments, but actively and materially enhance value over time.

Private equity firms should ensure they use trusted and independent expert cybersecurity partners who can translate this complex technical subject into clear and unambiguous language suitable for people who are making critical investment decisions.

Steve Lancaster is the chief executive officer of CYSIAM.