The current rash of ransomware attacks should serve as a wake-up call to private equity firms to ratchet up cybersecurity due diligence efforts. The data breach affecting Yahoo Inc. (Nasdaq: YHOO) provided an earlier moment of reflection for the M&A world. The magnitude of the stolen credentials is alarming, but even more so are the steps Verizon Communications Inc. (NYSE: VZ) is taking to reassess its offer to acquire Yahoo. Given the real possibility that the $4.8 billion price tag may be renegotiated one naturally might assume the due diligence performed by Verizon was insufficient. There may be some truth to this, but the questioning and second guessing could be unwarranted.
As a middle market CIO, I have a window into the various machinations of the IT diligence process, and cybersecurity is one piece that is still maturing. The well-established diligence processes that thoroughly evaluate opportunities and reduce risk can make introducing cybersecurity into the conversation foreign and uncomfortable. Boards and companies, in general, have less of an understanding about cyber risks than they should, which leads to gaps in their overall due diligence. Although not exclusively a challenge for the middle market there are a few reasons why cybersecurity due diligence is not routine.
The first is time. Particularly for diligence being performed in middle market companies, there simply is not enough. Weeks are needed, but what tends to be available for a thorough diligence are days – and maybe even less than that. As a result of this compressed timetable, a thorough assessment of the cyber risks is incomplete and thus begins a vicious cycle of making decisions without the appropriate information and potentially introducing risks into the process.
Second, cybersecurity risks are generally misunderstood. Boards and management teams in many middle market companies today are not including cybersecurity in their broader risk management strategy conversations. The same distance is being kept by middle market investment professionals as well. Although certainly not the case for all smaller private equity firms, deal teams may not be prioritizing cyber due diligence as part of a routine process. It has yet to become a standard practice in this particular section of the private equity world.
Finally, cyber due diligence is complicated, costly and potentially confusing. For many middle market private equity firms, general IT due diligence is outsourced to third-party providers who typically include cursory analysis of a target company’s cybersecurity posture. A dedicated cyber risk assessment is usually a bolt-on to general IT diligence and therefore an additional cost. The cost of diligence, at least today, is still shaping the decision-making process about whether or not to perform a cyber risk deep dive. And for those who do sign up for the additional assessment, the reports are often very technical, which requires a bit of translation to understand the risks.
Luckily, the tone around cybersecurity and cyber due diligence appears to be changing as the risks around this topic are slowly becoming clearer. A recent survey by consulting firm West Monroe Partners found that 80 percent of respondents said cybersecurity issues at target companies are very important and 39 percent recognize that not enough time is devoted to cyber due diligence.
Fortunately, middle market private equity firms can take concrete steps that will fit into the compressed schedule of a typical diligence process. Working with the third parties that are performing the due diligence, a private equity firm can coordinate and help tailor the types of questions and assessments that will be performed. Specific questions can help buyers determine the maturity of a company’s internal security program:
- Has someone been designated as the cybersecurity owner within the company?
- Does this individual have access to upper management and/or the board?
- Is there a budget for the cybersecurity program?
- Are there cyber-related policies which are known throughout the organization?
- Have systems containing sensitive data been identified?
- How is data protected throughout the organization, be it at rest or in transit?
Questions like these will get the sellers talking and will help the buyers evaluate the importance of cybersecurity to the organization. Certain verticals and supporting technologies need to be factored in as well. Identifying legal or regulatory requirements early on will help shape the types of questions asked during diligence. A healthcare company, as an example, will have regulatory considerations such as the Health Insurance Portability and Accountability Act (HIPAA), which should be part of the diligence conversation. Gaps in implementing certain controls for HIPAA compliance could raise the overall risk of the investment and may provide needed intelligence to a potential buyer. A day or two of careful diligence for cyber risks helps a buyer mitigate both known and unknown risks. Being thoughtful with the time and the questions asked should paint a picture of exposures that would otherwise remain unknown.
Assuming all goes well with the due diligence and the target becomes a portfolio company, the conversation around cybersecurity continues. Just like financial risks, cybersecurity needs to be part of the overall risk management strategy for both the management company and the portfolio company. Risks identified during diligence should become part of the remediation roadmap for the board and company management. Clearly identifying risks throughout the company will help establish a priority list of what needs to be worked on quickly and what can wait.
Portfolio companies needing guidance can set the right tone on cybersecurity early in the holding period. The first is to focus on governance and creating an information security steering committee. This committee, typically consisting of members of the human resources, compliance, IT and executive teams, will help establish the overall program and promote the importance of cybersecurity throughout the organization. The size of the committee will really depend and the size and complexity of the firm, but between three and five members is typically most effective.
The committee should start by focusing on the risks they are facing. The best way to tackle this is engaging a third party to perform a risk assessment. This baseline, in addition to all of the due diligence data points, will augment the baseline established during diligence to see what risks exist and how they tie back to the company’s overall risk appetite and regulatory obligations. This third party can assist with the creation of information security policies and a security awareness training program that both inform and enforce acceptable use of systems and data throughout the organization. Next, the committee should spend time identifying where sensitive data resides. This may include internal systems, private or public cloud providers, and trusted third parties. As part of this process, creating a mechanism to classify the data across these various systems will help set boundaries around the movement of data in and outside of the company. Examples could be public, office only and confidential. Lastly, identify roles and responsibilities in the event of loss of data. No company wants to develop an incident response program in the middle of an incident. Consider relying on outside counsel for guidance when designing the incident response plan and test the effectiveness of the program to make sure the key stakeholders are prepared.
Ransomware is industry-agnostic, and victims can fall prey through phishing emails, or by accessing infected websites. The WannaCry attacks encrypt files and demand a ransom, typically paid in bitcoins, to release the files. The encrypting of files can be disastrous for companies, and there are a few additional steps a company can take to better protect their most important asset, their data:
1. Create a process to provide critical updates to all corporate software
2. Make sure you have reliable backups in place and restoring of files is tested
3. Continue to educate your employees about the importance of ignoring suspicious emails and to never click on links or attachments without closely examining the sender's email address
The threat of ransomware is not going away. Tens of thousands of businesses worldwide continue to struggle to recover from the WannaCry ransomware attack, reminding dealmakers of the importance of factoring in cyber risk throughout the entire deal process.
This primer is by no means exhaustive. Developing and maintaining a cybersecurity program begins during diligence and does not end until that company is sold to the next buyer. Cybersecurity should become part of the natural dialogue of the M&A process regardless of the size of the acquisition. Protecting your firm and its investments is well worth the effort.
Eric Feldman is the chief information officer for the Riverside Co., a middle-market private equity firm based in Cleveland and New York with a portfolio of $5 billion under management.