The New Due Diligence

Private equity firms continue to include cybersecurity as part of their overall risk assessment

For private equity investors, cybersecurity is quickly becoming a significant part of the portfolio company acquisition process. Not only must firms ensure the protection of customer data and sensitive, proprietary company information, but neglecting the threat of a data breach can also run afoul of several federal agencies.

“What we try to coax a lot of our clients into understanding is, there’s the security at the fund level itself, at the portfolio level, and then the interaction between the two,” says Daimon Geopfert, national leader, security and privacy consulting, at RSM. “A lot of funds will come back and say, ‘We don’t contain a lot of sensitive data. We don’t have access to a lot of sensitive systems.’ Usually, on review, they have more than they think, and they always seem to forget that they are also an entrée into some of the portfolio companies.”

Geopfert says most cyberattacks are crimes of opportunity, and private equity firms that think they’re not targets should think again.

“Most breaches are actually targets of opportunity,” he says. “They didn’t come looking for you specifically; you just happened to be vulnerable. They took a shot at you and then realized later who you were.”

One of the most common misunderstandings of cyberattacks is that organizations assume they will know very quickly that they’ve been breached. But Geopfert says the number of days it takes to discover a breach is between 200 and 300 days. By then, lot of the damage is already done.

“It is an emerging focus of businesses around the world,” says Prakash Mehta, a resident expert on cybersecurity at international law firm Akin Gump.

According to Scott Larson, a former FBI special agent and founder of Larson Security, private equity firms are trending toward making cybersecurity part of the early stages of due diligence. In fact, he predicts it will become the norm in the next two to three years industry-wide.

Larson, who led the FBI’s computer investigations and infrastructure protection program as a supervisory special agent before founding his security firm, has seemingly seen it all. An immediate red flag includes IT groups that are hostile when questioned about processes.

“There are weaknesses they do not want exposed,” Larson explains. “There is something they are hiding.”

Larson has discovered completely unmanaged systems without any patches. This would indicate a serious problem for any acquirer, he says.

On the client-facing side, things look good, but Larson says, “On the back end, they are in disarray.”

His team typically embeds itself with the IT department of the portfolio company for up to six months to run full diagnostics on systems. He runs a “health checkup” on networks, providing acquiring companies with full risk assessment.

Larson is finding that the savvier the management team at a private equity firm, the sooner they will conduct cyber due diligence when making a new investment. Mehta stresses an even deeper dive than focusing on the portfolio company; instead, he counsels clients to create a map of every third party that has access to the firm’s sensitive data, including vendors and suppliers.

“You cannot just protect on your end,” says Mehta. “How strong is the cybersecurity with those who have your information?”

Geopfert agrees.

“We’ve seen a wide array of attacks, over the last year or so, of organizations that get breached through some related body,” he says. “So an attacker breaches them and then works into that company. And so we’re starting to see those styles of attacks at the fund level. But it really is [about] understanding their own security, the security of their portfolio companies, and then how they track that over time. How does it get reported back up, and how do they manage their risk?

Indeed, the SEC recently reported uneven levels of cybersecurity preparedness. According to a report issued by Akin Gump that reviews the government watchdog’s findings, third-party due diligence is key. Cybersecurity insurance is also an important step to be considered.

“There are significant opportunities for improvement,” according to Akin Gump’s report.

Taking a total, comprehensive approach to information technology is key to maintaining security. It is not just one network or component; it is the system as a whole that needs to be tested consistently.

The number one way for an organization to protect itself from a breach is to guarantee that a data-protection strategy is in place, says Darren Guccione, CEO of Keeper Security, Inc., a provider that helps clients password-protect sensitive data files. The strategy is to ensure that all sensitive data is encrypted and that proper controls are in place to permit access to that data. The policy is consistently tested and audited for effectiveness in preventing data loss from both external and internal threats, Guccione adds.

“Centralized management of enterprise-wide access, threat-detection systems, external and internal security auditing systems, and the ability to securely share sensitive information and credentials are all key components of an effective data-protection strategy for any enterprise,” he says.

For private equity, the potential damage a cybersecurity event can have for firms is exponential. For instance, a disgruntled employee could provide sensitive data in order to torpedo a deal, Larson points out. And if a hacker breaks into the firm’s network, that person would gain access to LP information.

Mehta takes it even further, suggesting the intruders could force a wire transfer from the firm’s pools of capital. Mehta has yet to see a successful dummy transfer, but he has seen them foiled. That means it is currently happening.

Cybersecurity for private equity firms is often a more intense process, typically in a shorter time frame, Larson explains. That means providing the initial screening in the first 30 days and then embedding with the firm’s IT department for six months to a year. Working with private equity clients often means the stakes are higher than in other industries, because the goal is to provide a full assessment of the IT security without negatively impacting a deal for a target portfolio company.

And while a full assessment of a company’s cybersecurity is quite expensive, the alternative could cost considerably more.

“With the multiples being so high right now, there’s a lot of money at risk,” says RSM’s Geopfert. “When you’re buying into those, you are accepting that you are buying right now at a huge premium. We’re working with private equity groups that are very heavily invested in industries having to do with healthcare, health insurance, health providers, retailers—anything along those lines. If that is breached when they buy it or right afterwards, they can lose that entire investment.”

This content is sponsored by RSM