Cybersecurity has become an increasingly regulated area of risk for many businesses in the digital world. As technology has advanced and cyberattacks have become more sophisticated, the measures needed to protect business data from breaches are also becoming more extensive. This is reflected in an increased regulatory environment where sanctions are implemented more strictly and cautiously by regulators.
Companies need to review their cybersecurity practices and consider the risks associated with holding different types of data. For example, business and financial data can be extremely valuable to business operations, but can also significantly disrupt business if compromised. Additionally, when processing personal data, there is an additional risk of breaching data protection legislation and being subject to prosecution, including significant fines, from data protection regulators. data as well as complaints from individuals.
Consequently, it is not surprising that the the wall street journal recently published an article noting that many private equity firms are increasingly focusing on their portfolio companies’ cybersecurity practices and associated risks.
What are the risks ?
High-profile data breaches such as the Marriott breach, for which a hefty $23.8 million fine was levied in 2020, are clear examples of the high cost of legacy issues in a company’s cybersecurity practices. As a reminder, the breach took place in 2014 and involved a database of Starwood brand hotel customers, which was acquired by Marriott in 2016. The breach was not discovered until two years after the acquisition and Marriott was left responsible for historical security. vulnerabilities, which have led to high-profile regulatory fines.
Public regulatory action related to a company’s cybersecurity failures can be extremely costly, both in terms of customer confidence and financial penalties. Customers can quickly lose faith in companies that are publicly reprimanded for failing to protect their data, and data protection regulators are increasingly focusing on data breaches related to security practices.
In 2022, more than 75 fines were imposed in the EU, the largest amounting to €17 million, citing insufficient technical and organizational measures to ensure data security as a non-compliance issue.
What practical steps are private equity firms taking?
Many private equity firms are implementing a standardized approach to cybersecurity across their portfolios, which allows for some contextual variation for groups in certain industry sectors or geographies that may be considered more risky. raised. Ensuring that groups of companies adhere to a uniform standard is a smart tactic as it ensures a baseline security standard and avoids the risk of one ‘weak link’ company creating a group-wide risk, by especially when IT assets are shared. Uniformity also allows for any identified defects to be dealt with quickly and cost-effectively, without the need for a more personalized forensic investigation of each entity.
In terms of portfolio management, private equity firms are implementing changes to ensure a minimum level of cybersecurity practices in their portfolio companies. The WSJ The article notes that for some companies, this includes consulting with virtual CISOs monthly to provide guidance and help portfolio companies test controls and create appropriate security policies and practices.
In terms of acquisitions, private equity firms focus on their assessment of cybersecurity measures during transactional due diligence processes, ensuring that all targets have robust technical and organizational measures in place that are appropriate to the company size and industrial sector. Organizations are investing more in these preliminary due diligence steps to protect against the risk of inheriting high-risk vulnerabilities that could result in future or historical data breach liabilities.
Gone are the days when cybersecurity due diligence was an optional part of the due diligence process. Now, due diligence is likely to be one of the mainstays of attention going beyond simply verifying the existence of internal policies and procedures to taking active steps, including asking third-party technical specialists to perform penetration tests and network scans on companies to test their cybersecurity defenses. .
Implementing more robust, and perhaps uniform, security measures across portfolio companies can be a cost for private equity firms in the short term. However, given the risks of security failures and the added value that attaches to robust cybersecurity practices when evaluated on exit, it could turn out that it’s pennies spent now that will pay off. money later.
What can private equity targets do?
Businesses are now warned about the risks of security failures, and bad practices could cost them their investment, or even worse, if breached, could cost businesses time, money and reputation. The WSJ The article notes that even small businesses and start-ups are now expected to have some form of cybersecurity regime in place. Companies seeking private equity investments should review their cybersecurity practices to ensure they are effective and appropriate for the size and operation of their business.
Any company considering an outside investment should consider reviewing its cybersecurity practices before seeking such an investment and be aware of robust transactional due diligence processes in this area. Organizations might consider testing their own controls through penetration testing and other security testing, ensuring that their security policies and procedures are up to date and that all remediation steps for previous incidents or vulnerabilities have been completed. been processed.
We anticipate that cybersecurity will remain a key element of risk in the private equity industry, as data breach risk and associated costs remain pervasive in the modern world across all industries and types of businesses.
Personal data held by companies can be a valuable asset, but failing to protect it adequately can be a costly risk to take and the asset can quickly become a liability. The approach taken by private equity firms is one that all companies should consider.
Private equity firms are taking a closer look at how their portfolio companies manage their cybersecurity, often before a deal is signed.