• Cybersecurity for the PE Market
Articles:

Cybersecurity for the PE Market

23 May 2018

By: Gregory A. Garrett, CISSP, CPCM, PMP
Head of U.S. & International Cybersecurity, BDO USA LLP

Cybersecurity is a growing risk factor in the Private Equity (PE) marketplace within the U.S. and worldwide. Cyber-attacks are increasing in sophistication and magnitude of impact across all industries globally. According to a recent report issued by the U.S. Security Exchange Commission (SEC) the average cost of a cyber data breach is $7.5 Million and is continually increasing in value year over year. While all organizations are potential targets of cyber attacks, the industries which possess the most valuable data are the biggest targets including: financial services, healthcare, government, automotive and manufacturing, and retail. All organizations possess valuable information assets, which may include: intellectual property, financial payment information, client information, supply chain partners information, personal identifiable information (PII), protected health information (PHI), and/or payment card information (PCI) just to mention a few.

It is vital for the buyer in the merger and acquisition (M&A) process to ensure they fully understand both the value of the information assets they are looking to acquire and the level of cyber threat and vulnerability facing the company they are considering to acquire. Further, the buyer must be able to determine the potential financial impact of the company’s cybersecurity preparedness or lack thereof upon the deal price.

Likewise, it is imperative for the seller in the M&A process to take appropriate actions to reduce their organization’s probability of a cyber breach and the potential negative impacts post-breach to optimize their sale price and ensure appropriate cyber defense. The focus of this article is to highlight the appropriate actions which both buyers and sellers involved in the M&A process can take before, during, and after the deal to mitigate the potential negative impacts of cyber-attacks and optimize the financial aspects of the deal.

For buyers, either private equity firms or strategic company buyers it is essential for them to take the following actions as appropriate for the industry, size, and complexity of the acquisition target including:

Before the Deal - Letter of Intent (LOI)

  • Select one or two independent firms with extensive cybersecurity advisory services, cyber threat analysis capabilities, vulnerability assessment and penetration testing services, and managed security services
  • Once a potential M & A target is selected engage one of the independent cybersecurity advisory firms to do the following:
    • Conduct a Dark Web Analysis for the company, key personnel, and selected supply chain partners
    • Conduct a Social Media Analysis of the company and key personnel
    • Conduct an extensive Internet Search of the company and key personnel

All actions taken should be focused on identifying potential negative or damaging information, which could lead to cyber vulnerabilities including: ransom, malware, ransomware, spear-phishing, spoofing, and other attack modes.

During the Deal (Pre-Close)

  • Review the company’s information security – policies, plans, and procedures, including: Incident Response (IR) Plan, Business Continuity Plan (BCP), and Disaster Recovery (DR) Plan
  • Evaluate the company’s cybersecurity education and training program
  • Assess the most recent cyber vulnerability assessment and penetration testing findings
  • Conduct a new vulnerability assessment & penetration tests, preferably via an independent cybersecurity services firm
  • Assess the information technology infrastructure, people, hardware, software
  • Evaluate the company’s compliance with industry required cyber security risk management framework
  • Conduct a cyber liability insurance coverage adequacy evaluation

After the Deal is Done (Post-Close)

  • Take the following cybersecurity remediation actions as necessary and appropriate:
    • Conduct a cyber risk assessment
    • Enhance IT technical operations
    • Engage a Managed Security Services Provider (MSSP) to:
      • Provide managed monitoring detection, & incident response services – 24x7x365
      • Provide threat intelligence services
    • Provide cybersecurity education and training to all employees
    • Assess third-party vendor cyber risks

For sellers, the key to improved cybersecurity is to take all of the aforementioned actions as necessary and appropriate before engaging in the M & A process, including:

  • Cyber risk assessment
  • Cyber threat assessment
  • Vulnerability & penetration testing
  • Cybersecurity education & training
  • Information security documented policies, plans and procedures
  • Multi-layer cyber defense system with encryption, multi-factor authentications, and 24x7x365 monitoring, detection and incident response
  • Incident response plan
  • Business continuity plan
  • Disaster recovery plan
  • Cyber liability insurance

Summary

The risk of a massive cyber breach negatively impacting a company’s reputation and market value is ever increasing. Thus, both buyers and sellers engaged in the PE marketplace need to fully understand the value of the information assets they are looking to acquire, the cybersecurity related risk, and then factor the benefits and risk variables into their respective business equation and pricing. Once all of the aforementioned actions are taken, then informed business decisions can be made by both parties to mitigate potential negative impacts of a cyber breach and the post breach consequences on a deal. Said simply, investing valuable dollars on a cyber threat assessment, cybersecurity risk assessment, and/or a vulnerability assessment up-front in the M&A process, could reduce your cyber liability insurance costs post-close and reduce the impact of a data breach, thus saving millions of dollars.

Read more BDO Insights