It’s impossible to escape the topic of cybersecurity, whether it comes in the form of the latest news article about a breach or ransomware attack, as a topic in a book you’re reading, or the plot of a TV show you’re watching. Companies are seeing a variety of different attacks these days—and no industry or corporation is safe.
Attackers may target the healthcare industry to gain access to sensitive patient information. Perhaps they go after the manufacturing industry to halt production of equipment or goods. Banking information is incredibly sensitive, making it a prime target for hackers.
But there’s also a real concern in the private equity space. Companies acquired by private equity firms are quickly thrown into the spotlight and become bigger targets once news of an acquisition is made public. These new portfolio companies are now at the forefront of threat actors’ minds1 and often have low cybersecurity maturity. Where they were once a smaller target as a standalone company, these companies are now backed by the deeper pockets of a private equity firm—that makes targeting these companies a much more enticing proposition for attackers.
There are an abundance of cybersecurity attack types to prevent against, and knowing where to focus your portfolio company’s time, resources, and investments can be challenging.
A good rule of thumb? Companies should focus their efforts on cybersecurity controls that would help prevent against today’s most prevalent attack types: ransomware, data breaches, impersonation attacks, and business email compromises.
Ransomware is often costlier than other types of cybersecurity attacks. The average total cost in 2021 was $4.6 million, excluding ransom payments. Some of the best cybersecurity controls to limit the likelihood and impact of a ransomware attack include:
Data breaches have existed for some time—but they aren’t disappearing, or even becoming less frequent. Customer personally identifiable information (PII) was the most common type of record lost: 44% of breaches in 2021 included it, with an average breach cost of $180 per record. Investors should implement these controls to protect their portfolio’s data:
Impersonation attacks are one of the most frequent cybersecurity threats that companies and individual employees will face—a staggering 82% of breaches involve the human element3 The best ways to help your employees be prepared for impersonation attacks are:
Business email compromises could lead to many other cybersecurity attacks, including data exfiltration, ransomware, or impersonation attacks through an attacker imitating the email owner’s identity. Many companies have not hardened their email environment, simply taking advantage of what cloud email providers offer. Some of the most missed configurations are:
With an ever-changing threat landscape, cybersecurity should be considered throughout the M&A lifecycle, beginning with due diligence, through the hold period, and leading up to sale.
Cybersecurity should be considered to help identify major red flags before investments in a new company are made. Private equity firms already conduct thorough due diligence on a target’s financials, operations, and profitability; the diligence process should also include a cybersecurity review.
This can consist of a high-level resiliency assessment but could also include more technical reviews such as scanning the dark web for company credentials and information. This will help investors learn about the target’s cybersecurity posture—which otherwise may be a black box—and allow investors to factor any findings into the purchase agreement and price. Further, representation and warranties insurance increasingly require answers gained from cybersecurity diligence.
Investors have the chance to further evaluate a company’s cybersecurity posture, identify areas for improvement, and establish a cybersecurity-specific roadmap once an acquisition is closed. When executed, the roadmap will harden the portfolio company’s environment by implementing necessary cybersecurity controls.
This cybersecurity review and technical implementation will thoroughly vet and then increase a company’s cybersecurity posture that may have only been touched upon briefly during due diligence depending on level of access. As the portfolio company progresses through the hold period, their investment and growth strategy will be reevaluated—and so should the company’s cybersecurity posture. Portfolio companies should continuously evaluate the cybersecurity threat landscape and risks to their cybersecurity resiliency to work to prevent potential value erosion.
Cybersecurity should be considered when you’re looking to sell the company; conducting a sell-side diligence a few months prior to selling the company will allow the investor and the portfolio company time to remediate any cybersecurity gaps that are identified and could cause delays during the sales process—and prepare management teams for diligence.
Private equity firms and their portfolio companies are an increased target for cybersecurity attacks given their public exposure and financial resources. As such, a company’s cybersecurity posture should be evaluated constantly throughout a private equity firm’s hold period to best prepare for and mitigate prevalent cybersecurity attacks.