By Joanne Baginski, EKS&H
From Equifax to Facebook, cybersecurity incidents are constantly in the news. This pervasive problem is not reserved, however, for household names. It also hits middle-market companies and their customers hard, often without generating big headlines.
This is why assessing cybersecurity risks has become a crucial aspect of the due-diligence process for private equity investors making acquisitions. With merger-and-acquisition activity hot, it’s vital that PE investors identify vulnerabilities and threats that may ultimately prove costly to their reputations and bottom lines.
Ponemon Institute’s 2017 Cost of Data Breach Study found that the average cost of a breach in the U.S. is $7.3 million — significantly higher than in other countries — and that the average size of data hacks is increasing.
Of course, finding out about an attack before a deal closes can also mean leverage in a negotiation on price. Verizon and Yahoo agreed to reduce the purchase price of the online portal by $350 million once it came to light that Yahoo emails had been hacked. The legal, business and reputational fallout associated with a breach must be factored in.
Unfortunately, 40% of acquirers say they have uncovered a cybersecurity problem at an acquisition after a deal closed, according to one survey of senior M&A practitioners. And 55% of PE investors say they expect to be hit by a serious cyberattack in the next five years, according to a Coller Capital survey.
Breaches are especially expensive in highly regulated industries, such as healthcare, consumer products and financial services, where the resulting costs can include stiff fines on top of remediation costs, financial losses and reputational damage.
PE investors should start assessing cybervulnerability even before considering a deal, by understanding broad industry-specific risks.
Healthcare operations, for example, must adhere to HITRUST standards to safeguard sensitive patient data in electronic health records, while businesses that conduct transactions on credit cards must comply with the Payment Card Industry Data Security Standard, or PCI.
Manufacturing companies are particularly vulnerable to hacks that target the theft of intellectual property and trade secrets. And all firms that operate in Europe or have customers there must comply with the stringent General Data Protection Regulation standards that go into effect on May 25.
Before undertaking any M&A letter of intent, PE investors should gauge whether the target company meets the applicable industry and regional standards and undertake an exhaustive assessment — of systems, people, and processes — to identify any weaknesses and vulnerabilities.
That assessment should also include a review of any contracts and relationships with third-party IT security consultants.
Due diligence often uncovers archaic and at-risk IT systems that may need to be modernized and inadequate governance that must be improved. Diligence can also calculate the specific financial cost of any upgrades that may be needed post-merger. Again, significant expenses can become a bargaining point during negotiations over price.
Once the deal closes, it’s about constant vigilance. PE investors should ensure that their portfolio companies follow a checklist to ensure security is robust:
Defend the perimeter: Ensuring hackers cannot break in to the company’s network is the first priority in any security plan. This can be as simple as ensuring all recent patches have been applied to systems and software (more than half of all successful hacks exploit known vulnerabilities).
Inventory data: Companies should review their data systems to understand what data it holds, where data is stored, whether data is duplicated, the firm’s retention policy for data, and whether the firm complies with all necessary privacy standards.
Regulatory compliance: Industry and regional regulations must be followed, whether that’s HITRUST, PCI or GDPR. Firms should also map out a timetable of any upcoming regulatory changes and ensure that plans are in place to be compliant on time.
Manage users: Who is authorized to access sensitive data and how is such access managed? Are adequate procedures in place to manage permissions for new hires and when staff members leave?
Manage access: Are the right password procedures in place, including when they expire and how they are renewed, authentication, and their use with virtual private networks. The 2017 Verizon Data Breach Report noted that more than two-thirds of all breaches involved weak or stolen passwords.
Monitoring: Even the best systems need monitoring software to watch for phishing and other hacks targeting a firm’s network and assets. Having properly trained IT staff or a contracted entity who can monitor the system log for unusual activity is equally important.
Breach-Response Plan: Firms must establish a comprehensive plan to deal with the aftermath of any breach. Plans should include having contracts in place with appropriate remediation firms, and a plan for communicating with investors, customers and the media.
Organizational awareness: The best laid plans can still fail if staff are not adequately trained. Staff should be educated about the firm’s vulnerabilities and how best to mitigate those risks because most cyberattacks ultimately succeed as a result of human error.
For PE investors, understanding the risks of cyberattacks and ensuring the proper steps are taken to prevent them are critical to protecting your investment.
Joanne Baginski is a partner with EKS&H and leads the firm’s Transaction Advisory Services area, overseeing buy-side due diligence, sell-side transition planning, business valuation, financial planning and analysis and post-close integration services. Reach her at [email protected] or at +1 303-846-3309.