The current rash of ransomware attacks should serve as a wake-up call to private equity firms to ratchet up cybersecurity due diligence efforts. The data breach affecting Yahoo Inc. (Nasdaq: YHOO) provided an earlier moment of reflection for the M&A world. The magnitude of the stolen credentials is alarming, but even more so are the steps Verizon Communications Inc. (NYSE: VZ) is taking to reassess its offer to acquire Yahoo. Given the real possibility that the $4.8 billion price tag may be renegotiated one naturally might assume the due diligence performed by Verizon was insufficient. There may be some truth to this, but the questioning and second guessing could be unwarranted. As a middle market CIO, I have a window into the various machinations of the IT diligence process, and cybersecurity is one piece that is still maturing. The well-established diligence processes that thoroughly evaluate opportunities and reduce risk can make introducing cybersecurity into the conversation foreign and uncomfortable. Boards and companies, in general, have less of an understanding about cyber risks than they should, which leads to gaps in their overall due diligence. Although not exclusively a challenge for the middle market there are a few reasons why cybersecurity due diligence is not routine. The first is time. Particularly for diligence being performed in middle market companies, there simply is not enough. Weeks are needed, but what tends to be available for a thorough diligence are days – and maybe even less than that. As a result of this compressed timetable, a thorough assessment of the cyber risks is incomplete and thus begins a vicious cycle of making decisions without the appropriate information and potentially introducing risks into the process. Second, cybersecurity risks are generally misunderstood. Boards and management teams in many middle market companies today are not including cybersecurity in their broader risk management strategy conversations. The same distance is being kept by middle market investment professionals as well. Although certainly not the case for all smaller private equity firms, deal teams may not be prioritizing cyber due diligence as part of a routine process. It has yet to become a standard practice in this particular section of the private equity world. Finally, cyber due diligence is complicated, costly and potentially confusing. For many middle market private equity firms, general IT due diligence is outsourced to third-party providers who typically include cursory analysis of a target company’s cybersecurity posture. A dedicated cyber risk assessment is usually a bolt-on to general IT diligence and therefore an additional cost. The cost of diligence, at least today, is still shaping the decision-making process about whether or not to perform a cyber risk deep dive. And for those who do sign up for the additional assessment, the reports are often very technical, which requires a bit of translation to understand the risks. Luckily, the tone around cybersecurity and cyber due diligence appears to be changing as the risks around this topic are slowly becoming clearer. A recent survey by consulting firm West Monroe Partners found that 80 percent of respondents said cybersecurity issues at target companies are very important and 39 percent recognize that not enough time is devoted to cyber due diligence. Fortunately, middle market private equity firms can take concrete steps that will fit into the compressed schedule of a typical diligence process. Working with the third parties that are performing the due diligence, a private equity firm can coordinate and help tailor the types of questions and assessments that will be performed. Specific questions can help buyers determine the maturity of a company’s internal security program:
- Has someone been designated as the cybersecurity owner within the company?
- Does this individual have access to upper management and/or the board?
- Is there a budget for the cybersecurity program?
- Are there cyber-related policies which are known throughout the organization?
- Have systems containing sensitive data been identified?
- How is data protected throughout the organization, be it at rest or in transit?