Protecting Private Equity Portfolio Companies Against Cyberattacks

It’s impossible to escape the topic of cybersecurity, whether it comes in the form of the latest news article about a breach or ransomware attack, as a topic in a book you’re reading, or the plot of a TV show you’re watching. Companies are seeing a variety of different attacks these days—and no industry or corporation is safe. 

Attackers may target the healthcare industry to gain access to sensitive patient information. Perhaps they go after the manufacturing industry to halt production of equipment or goods. Banking information is incredibly sensitive, making it a prime target for hackers. 

But there’s also a real concern in the private equity space. Companies acquired by private equity firms are quickly thrown into the spotlight and become bigger targets once news of an acquisition is made public. These new portfolio companies are now at the forefront of threat actors’ minds¹ and often have low cybersecurity maturity. Where they were once a smaller target as a standalone company, these companies are now backed by the deeper pockets of a private equity firm—that makes targeting these companies a much more enticing proposition for attackers.  

How companies can reduce cybersecurity attacks 

There are an abundance of cybersecurity attack types to prevent against, and knowing where to focus your portfolio company’s time, resources, and investments can be challenging. 

Ransomware 

Ransomware is often costlier than other types of cybersecurity attacks. The average total cost in 2021 was $4.6 million, excluding ransom payments. Some of the best cybersecurity controls to limit the likelihood and impact of a ransomware attack include: 

• Multi-factor authentication (MFA): This protects a company’s data and assets in the event that credentials are compromised by requiring a second factor before granting access to company resources. It is most important to implement MFA for access to email, remote access, critical business applications, and administrative functions. 
• Off-network backups: These allow organizations to be better prepared and more likely to be able to restore business operations in a timely manner. 
• Endpoint/managed detection and response (EDR/MDR): These solutions provide proactive visibility and monitoring on servers and workstations in a company’s environment and allow for isolation to help contain potential spread of a compromise. 
• Active directory segmentation: Segmentation between a company’s corporate environment and product or operational technology environment limits the ability for a threat actor to pivot from one environment to another—helping to isolate a potential ransomware attack. 

Data breaches 

Data breaches have existed for some time—but they aren’t disappearing, or even becoming less frequent. Customer personally identifiable information (PII) was the most common type of record lost: 44% of breaches in 2021 included it, with an average breach cost of $180 per record. Investors should implement these controls to protect their portfolio’s data:  

• Identity and access management: These controls include a robust access provisioning process to ensure users only have access to data and applications that are required for their job. Granting users the correct permissions is the first step, and continuously validating that those users have the correct access is an ongoing process that protects against unrestricted access to sensitive data.
• Data loss prevention (DLP): These solutions alert on sensitive information sent outside the organization’s environment and can also block the sending of this data.  

Impersonation attacks 

Impersonation attacks are one of the most frequent cybersecurity threats that companies and individual employees will face—a staggering 82% of breaches involve the human element³ The best ways to help your employees be prepared for impersonation attacks are: 

• Cybersecurity awareness training: Educate users on cybersecurity best practices and email security, then test users to be alert for fraudulent requests through phishing campaigns. Employees trained in cybersecurity best practices are less likely to fall for an impersonation attack.
• Segregation of duties and verification processes: Increase the number of individuals approving requests and acting as gatekeepers around requests for monetary transfers or sensitive information. These processes could include requiring dual approve for internal and external wire transfers/bank payments and refraining from changing employee information without verifying the employee’s identity.  

Business email compromises 

Business email compromises could lead to many other cybersecurity attacks, including data exfiltration, ransomware, or impersonation attacks through an attacker imitating the email owner’s identity. Many companies have not hardened their email environment, simply taking advantage of what cloud email providers offer. Some of the most missed configurations are: 

• Disabling legacy protocols (e.g., IMAP, POP): Taking action prevents attackers from circumventing MFA controls and gaining unauthorized access to the email environment. 
• Properly configuring DKIM, DMARC, and SPF records: Configuring these records protects against email spamming and spoofing to and from your organization’s email domain(s).
• Blocking automatic external email forwarding: This safeguards the email environment from one of the most common types of data exfiltration. 

When to consider cybersecurity? Throughout the entire M&A lifecycle 

With an ever-changing threat landscape, cybersecurity should be considered throughout the M&A lifecycle, beginning with due diligence, through the hold period, and leading up to sale. 

During diligence 

Cybersecurity should be considered to help identify major red flags before investments in a new company are made. Private equity firms already conduct thorough due diligence on a target’s financials, operations, and profitability; the diligence process should also include a cybersecurity review. 
 
This can consist of a high-level resiliency assessment but could also include more technical reviews such as scanning the dark web for company credentials and information. This will help investors learn about the target’s cybersecurity posture—which otherwise may be a black box—and allow investors to factor any findings into the purchase agreement and price. Further, representation and warranties insurance increasingly require answers gained from cybersecurity diligence. 

Hold period 

Investors have the chance to further evaluate a company’s cybersecurity posture, identify areas for improvement, and establish a cybersecurity-specific roadmap once an acquisition is closed. When executed, the roadmap will harden the portfolio company’s environment by implementing necessary cybersecurity controls. 
 
This cybersecurity review and technical implementation will thoroughly vet and then increase a company’s cybersecurity posture that may have only been touched upon briefly during due diligence depending on level of access. As the portfolio company progresses through the hold period, their investment and growth strategy will be reevaluated—and so should the company’s cybersecurity posture. Portfolio companies should continuously evaluate the cybersecurity threat landscape and risks to their cybersecurity resiliency to work to prevent potential value erosion. 

Prior to sale

Cybersecurity should be considered when you’re looking to sell the company; conducting a sell-side diligence a few months prior to selling the company will allow the investor and the portfolio company time to remediate any cybersecurity gaps that are identified and could cause delays during the sales process—and prepare management teams for diligence.  

Cybersecurity: A continuous journey

Private equity firms and their portfolio companies are an increased target for cybersecurity attacks given their public exposure and financial resources. As such, a company’s cybersecurity posture should be evaluated constantly throughout a private equity firm’s hold period to best prepare for and mitigate prevalent cybersecurity attacks.