Private equity firms should make cybersecurity diligence a priority

Cybersecurity is a major concern for companies of all sizes, and private equity (PE) firms are no exception. In fact, PE firms are increasingly targeted by cyber-attacks as they tend to hold a large amount of sensitive information, including financial data, customer information and intellectual property.

There has been a recent uptick in so-called “supply chain hacking” with attackers aimed at third-party providers that supply critical technological components, gaining access to the systems and data of the target organizations.

Notable examples of such attacks on the supply chain include the empowerment of incumbents SolarWinds i Kaseya breaches In some ways, private equity firms are the ultimate “supply chain” target, because they tend to have sensitive data and access to the portfolio companies they own, and they tend to have deep pockets.

A recent one indeed study by the Ponemon Institute found that the average cost of a data breach for a financial services company was nearly $6 million in 2022. This is significantly higher than the average cost of a data breach for other companies, which is 4.35 million dollars.

It’s clear that even well-protected PE firms are an attractive target for enterprising hackers looking to make a quick buck.

A single target to attack

PE companies are often more difficult to protect than the typical organization. With many employees working remotely, it’s difficult to keep track of who has access to sensitive information and how they’re using it. Middle market PE firms, which make up the majority of the market, often invest in start-up companies that don’t have the IT security budget or expertise to build the necessary internal security controls.

To protect themselves and their portfolio companies from cyberattacks, PE firms must focus on cybersecurity during the due diligence process when evaluating potential acquisitions. A data breach or ransomware attack could have a significant impact on the value of the acquisition and could also damage the company’s reputation.

Here are some tips that PE firms can use to assess the risk of a potential acquisition during due diligence:

• Ask the target company (both IT team and leadership) on current cybersecurity policies and procedures and review those controls. Perform IT/cybersecurity due diligence on behalf of a company and complete a gap assessment against NIST controls.

• Review the target company’s insurance policiesincluding specific cyber insurance if paid for by the company. Often, insurance policies have lapsed or there is a gap in the target company’s security policies.

• Perform open source threat analysisincluding scanning the dark web for compromised employee credentials and other potential threats. It’s often shocking what’s out there, which in rare cases reveals an active cyber breach, but more often can inform post-acquisition remediation recommendations.

• Review the target company’s security recordsto see if there have been any recent violations. This is recommended for all due diligence processes, assuming the records are accessible.

• Assess the target company’s incident response plan. In the event of a cyber attack, a well-designed incident response plan can help mitigate the damage and limit the impact on the business. Make sure there is an effective plan in place and that it is regularly tested and updated.

• If applicable, assess the target company’s compliance with industry regulations and standards. Depending on the industry, companies may be required to comply with certain cybersecurity regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act ( HIPAA) or the General Data Protection Regulation (GDPR).

You may also occasionally want to perform penetration testing of the target company’s systems to identify any vulnerabilities. You don’t always have time to do this during the due diligence phase, as it’s an extremely involved deep dive process, but it’s often a critical “next step” in the post-acquisition roadmap.

It is important to recognize that not all vulnerabilities or cyber risks can be addressed before a deal closes, and unless due diligence reveals an active breach at the target company, the risk is rarely so severe that a buyer should not complete the ‘planned acquisition. Typically, the most important outcome of IT/cybersecurity due diligence is the creation of a roadmap or schedule of investment to strengthen IT security, patch vulnerabilities, and fill any gaps.

By conducting a thorough cybersecurity due diligence process, PE firms can help mitigate the risks of a data breach or other cybersecurity incident. This will help protect the value of the acquisition and the reputation of the private equity firm.

Chris Snyder is a senior sales engineer at Safety quadrant

Image: ismagilov

You can also read:

How financial institutions can address their top cybersecurity challenges:

If you like this website and use the extensive directory of over 7,000 service providers, you can get unrestricted access, including the exclusive series of in-depth director reports, by signing up for a Premium membership.

• Single £5 per month or £50 per year. Sign up

• Multi-user, corporate and library accounts available upon request

Cybersecurity Intelligence: Captured Organized and Accessible