What private equity investors need to know about cybersecurity in the pandemic
The Covid-19 pandemic has spawned a perfect confluence of events that created an optimal striking ground for hackers. At Aon, a global professional services firm headquartered in London, we have seen cyberattacks increase by 33% during lockdown in the U.K. Hackers are preying on isolated work forces during a time when IT resources are stretched thin and many staff are furloughed.
Digital collaboration technologies have enabled many businesses to operate during lockdown but few had ever simulated a scenario where everyone worked at home simultaneously. We are seeing limited IT resources being stretched by unprecedented remote working, with little capacity to defend against the unusually high number of cyberattacks that followed.
For M&A, such attacks can prove crippling or existential in the deal lifecycle. The financial impact of a cybersecurity breach is very clear to see when it devalues a company right before deal closing – putting a strain on founders and investors, becoming a costly and time-consuming disaster to mitigate.
While the total financial impact depends on the nature of the business and the timing in the transaction lifecycle, the cost of containing a cyberattack has a multiplier effect when the investment needs of new security protocols is also factored into valuation. You don’t need to be a deal guru to know the most common valuation technique used by investors is a multiple of earnings (EBITDA). So, by way of example, a $10m Cyber financial impact in a 10x multiple deal becomes a $100m impact. In 2016, Yahoo took a $350m impact on their Verizon deal due to a 500 million user data breach.
So how can companies and their investors ensure they protect valuation and prepare to defend against sophisticated hackers? The best time to assess cybersecurity is before you buy or invest in a business during pre-deal due diligence – the next best time is now. It’s helpful to start from the premise that your current or future investment has already been compromised and work backward from there. Firstly, consider building a comprehensive cyber incident response plan and technology controls assessment in addition to ensuring employees are aware of the many possible entry points hackers use to access their systems. Best practices include strong cyber governance from the board level down through to technology controls and processes, including incident response, working in tandem with vigilant staff across your supply chain. Ultimately cyber insurance is required to offset steep financial losses when defenses fail.
Tailored cyber incident response plan
It’s critical to have a strong cyber incident response plan and a skilled team ready to execute it. The company needs a specialized team that can quickly determine the prospects for recovery after an attack with rapid access to backup systems, log files and administrator-level permissions.
The plan should address short-term and long-term strategies. The team must first move to contain the incident, shutting down systems and notifying customers if necessary. The focus in the days and weeks that follow should shift to priorities such as determining the hacker’s exact entry point and whether more security controls are needed. The plan should include an evaluation of overall security of the company and whether there are protocols in place to ensure new vendors and business partners are properly screened.
Strengthen technology prevention
Companies should seek to adopt current advanced technology controls to filter out suspicious emails or thwart malicious software that’s downloaded. Also factoring in external intelligence from deep and dark web sources and proactive threat hunting to guide defenses. Investors and owners should be particularly aware of digital operating models that might offer new entry points to cyber criminals or compromise boundaries with third-party providers.
Educate employees as a first line of defense
Technology alone can’t fully protect a company from attacks. Employees, partners and suppliers should be educated regularly to spot the security vulnerabilities in their midst, such as malware in e-mails, and understand the ways in which their personal data can be used by hackers.
Staff also should be aware of how working remotely might increase their security risk. Another post-pandemic dynamic that created ideal targets for hackers was the nature of communication among employees working from home. Hackers were able to exploit the lack of social connectivity at companies, as an employee faced with a suspicious-looking e-mailed invoice asking that a supplier be paid can no longer turn to a co-worker in the next office to discuss its legitimacy.
Transfer risk with insurance coverage
Despite a company’s best efforts, hackers can still manage to breach security protocols and wreak maximum havoc. For these cases, an insurance carrier can assume some of the risk to help spare the business from financial ruin. Cyber insurance can offer coverage for specific costs of containing the incident, ransomware that was paid out, as well as certain fees for legal services. It can also be available to cover certain indirect costs arising from disruptions to business, such as revenue loss resulting from a product shipping suspension when the attack prevented orders from being fulfilled.
Cyberattacks can be extremely stressful for an investor, executive and entrepreneur who has worked to build a company over years or even decades, often in anticipation of a capital injection or lucrative exit. They are forced to surrender control of their brand to a team of lawyers, IT specialists, and cyber consultants, with no assurances their company will emerge intact. No company is immune to the threats posed by hackers, particularly with the new state of vulnerability created by the pandemic. By accepting your business will be cyber-attacked, any investor or business owner can leverage techniques in this article to fight back and ensure they are paving the way for their brand to thrive for many years to come leading to secured or enhanced deal valuations.