What does the Equifax data breach mean for mid-market M&A?
Management kept mum for six weeks. Then on September 8th, Equifax Inc. (NYSE: EFX), one of the three principal U.S. credit agencies, finally acknowledged that its computer systems had been breached and the personal data for 143 million U.S. consumers—nearly half the country’s population—had been compromised.
Anxiety over this cyber theft has been sky high, with everyone from the man in the street to high ranking government officials expressing outrage that Equifax didn’t do more to safeguard the public. The upshot is that consumers and businesses are now warier than ever of doing business with companies that fail to protect their privacy.
In light of this, Mergers & Acquisitions asked Eric Feldman, the CIO for private equity firm The Riverside Co., to discuss the of the break-in’s ramifications for middle-market dealmaking. Here are some of his insights:
M&A: Does the recent data breach at Equifax have implications for middle-market dealmakers?
Eric Feldman: Yes. Whenever there’s a breach, it definitely has an impact on the dealmaking process. If nothing else, the spotlight on companies’ vulnerability and the increasingly complex methods that are used by cyber criminals warrants a further look into the types of investments that dealmakers are pursuing.
[These types of events] are becoming part of the overall risk calculation that goes into the overall health of a target company. Middle-market companies in particular don’t have the resources, the sophistication and certainly the capital to build a truly enterprise security program. So as part of the M&A process, it’s important to understand what the risks are—including regulatory and legal risks, as well as reputational risks and risks to intellectual property. This is a story that’s not going to go away.
M&A: How should dealmakers manage these risks? How do they get started?
Feldman: For middle-market companies, the first step is to understand the nature of the risks that they face. A company can try and determine this itself, but any self-assessment will be of limited value, since it will be looking at the problem through a certain lens.
It’s better to hire a trusted third party, which has demonstrable experience performing security and vulnerability assessments and can take the client’s culture and resource limitations into account, when determining the types of regulatory, IP and other types of risks that a company faces.
A third party with this type of expertise can help a mid-market company formulate a set of ‘right-sized’ remediation strategies. The risks for a small manufacturing firm, for instance, one with say only one location and that operates in an industry that isn’t a high-profile target for hackers, will be very different from those of a large multinational. So right-sizing the security strategy is critical. What works for a Citibank is not necessarily appropriate for the Riverside Co.
M&A: Are there other best practices middle-market companies should follow?
Feldman: Once its assessment is completed and the risks that a company faces has been determined, management and the board need to consider them in a broader business context and prioritize their importance. Decisions need to be made about which of these risks pose the greatest threat and in what order they should be remediated.
At this point, governance becomes really important: The organization needs to identify an advocate who will be responsible for promoting and getting buy-in for its security program. Management needs to create policies that lay out the company’s responsibilities and the obligations of its employees. These should include a set of ‘acceptable use’ policies for company equipment and devices like mobile phones.
But for a middle-market company to over-engineer these policies and create something that is unenforceable is arguably worse than not having any policies in place at all. Because once a company has a set of policies in place, it has significant legal exposure if it fails to live up to them. To avoid this, a company’s policies should relate to its business dealings. They should be enforceable, and they should constantly evolve with the company’s circumstances.
Then, once a company sets its security policies, it needs to train and educate its employees in those policies and embark on a security-awareness program. This doesn’t have to be an expensive undertaking. It could be as simple as a quarterly email that the security committee sends out to remind employees what their responsibilities are.
The committee could also make use of third-party phishing tools. These are used by the Riverside Co. and many other private equity firms as part of a ‘think before you click’ campaign to educate their employees. If an employee clicks on something that he or she shouldn’t, he’s redirected to a page that reminds him to be a good corporate citizen.
There are also many other types of educational materials, like security awareness buttons and posters, that are freely available.
M&A: What other steps should a middle-market company take?
Feldman: The company may also want to put some technical controls in place, and there are some free tools that are available, as well as others that are generally affordable. Free tools include the encryption tools that are bundled in with both the Mac and Windows operating systems. And for a relatively modest amount of money, a company can invest in ...
web content filters
e-mail management platforms
... all of which guard against the most common security threats—including virus-laden e-mail attachments and malware-ridden web sites—that middle-market companies face. Again, right-sizing the security solution for the middle-market is going to be the key to success.
The final, but very important aspect of good security governance is incident-response planning—how a company should respond if an incident takes place. This too does not need to be over-engineered, but the roles and responsibilities within an organization, if faced with a loss of data, need to be defined.
If there’s one thing to learn from Equifax, it’s that their incident-response planning was shockingly immature. Once they were faced with a breach, they failed to get ahead of the message—and exposed themselves to a whole slew of problems as a result.