Cybersecurity Considerations for Private Equity Firms: Mitigating the Cyber Risks of Portfolio Companies

As we approach the end of 2017 and reflect on the past year, it’s hard to ignore the recent surge in cybercrime and the financial, operational, and reputational losses that breaches have caused portfolio companies and M&A targets. Some notable examples include the $350 million (7%) deal adjustment on the Yahoo acquisition as well as the Whole Foods breach announcement that followed their acquisition by Amazon.

As investors, private equity firms must rigorously assess a target’s revenue growth, competition, and operations before determining whether it’s a viable investment. Due to the risks that increased breaches pose, assessing cyber risks during the M&A diligence process and beyond has become increasingly common — and advisable.

5 Steps to Help Mitigate the Cyber Risks of Portfolio Companies 

While cyber threats are constantly growing and evolving, it’s important to be vigilant in order to protect your investments. Here are 5 steps for private equity firms to consider during the pre- and post-acquisition phase:

1. Implement a sound vulnerability management program — The majority of recent high-profile breaches were perpetrated by exploiting known security vulnerabilities. Therefore, it's imperative that your company have a sound vulnerability management program in place to address policies such as deploying patches as soon as possible. See our recent blog post, 5 Best Practices for Building an Effective Vulnerability Management Program, for more info.
    
2. Assess cyber risks during the pre-deal diligence process — Portfolio companies across various industries (e.g., Sonic Drive-In, Whole Foods, and Yahoo) have experienced a decline in their investment value and/or brand as a result of cyber breaches. To protect your investment, you need to ask the right questions and challenge responses during the due diligence process to determine how the company's IT and cyber capabilities, or lack thereof, might undermine your investment thesis. 
    
3. Make cyber risk management an ongoing priority — Assessing a portfolio company’s cyber risks shouldn’t end after the pre-deal phase. Implementing an ongoing cyber risk management strategy, including establishing quarterly risk councils to regularly monitor your portfolio companies' cyber risks, can help prevent a potential cyber incident as well as reduce the impact of an actual incident.  
    
4. Educate your portfolio companies about cyber risk detection and incident prevention — Making sure the staff of your portfolio companies know how to prevent, detect, and respond to cyber threats can help reduce the likelihood of a cyber incident affecting your firm.
    
5. Think holistically across cybersecurity, privacy regulations, business applications, and IT infrastructure – These areas overlap, and the right adviser can help you understand not just risks and expected remediation costs, but also opportunities for efficiencies, scalability, and competitive advantage.

About the Author

Chad Neale is a Managing Director at ACA Aponix focused on IT, privacy, and cybersecurity transaction advisory, as well as tech and cyber risk strategies for ACA's private equity firm clients' portfolio companies. Prior to joining ACA, Chad served as the Cybersecurity and Privacy Director for PwC's Risk Assurance practice. In that role, he led the team responsible for performing cybersecurity, privacy risk, maturity assessments, and attack and penetration testing for clients operating in a variety of industries including healthcare, financial services, technology, retail, aerospace and energy. Before that, he led the establishment of an ISO27001 compliant Information Security Program as the Information Security Officer at First Allied Securities. Chad earned his BS in Electrical Engineering from the University of California, San Diego and holds several certifications including ISO27001:2013 Auditor, GSLC, GCCC and GCFE.