Over the past 12 months, we’ve seen common business risks morph into major business upheavals. Private equity firms have seen their portfolio companies deal with issues on multiple fronts, including geopolitics, economics, supply chains and public health.
Another factor driving down returns has been the unrelenting barrage of cyberattacks, from ransomware to insider threats. Cybersecurity incident losses were estimated at $6 trillion in 2021 and are expected to hit more than $10 trillion in three years.
In the past, most PE buyers saw cybersecurity concerns as part of the wider risk conversation. Justin Daniels, a shareholder with the law firm Baker Donelson, has more than 20 years of experience advising clients on all aspects of M&A transactions. He has handled deals collectively worth more than $1 billion and notes, “I am not seeing (yet) cyber risks preventing most private equity deals from closing.” According to Daniels, in the past, the ability to transfer that risk to cyber insurance likely provided investors with a measure of confidence to not push the issue and risk derailing a deal.
Both Daniels and I have observed that often it takes living through a major cyber incident (a ransomware attack, for example) for PE firms to thoroughly consider the cyber risk; until that point, cyber due diligence is often treated as more of a “check the box” exercise. Even firms that require more meaningful diligence usually plan to address needed cyber security improvements after the deal. While pockets of good opportunities exist for well-capitalized buyers, two cyber-related developments are converging that should have PE firms looking at cyber due diligence in a new light.
Transferring risk via cyber insurance is no longer a sure thing
Cyber insurance today is both harder and much more expensive to get. The industry absorbed significant losses in 2020-2021, especially due to ransomware claims. The fact is, if you’ve had an incident, it’s almost impossible to get cyber insurance now. If you have a chance at getting insurance, expect underwriters to hand you four to five pages of granular controls that you must prove compliance with. And there is no negotiating for time to remediate shortfalls after getting coverage. No compliance, no policy. Even then, we’ve seen premiums double and even triple this year.
Proposed new SEC rules focus on cyber strategy
On March 9, the Securities and Exchange Commission announced it was proposing new cybersecurity risk management rules focused on more timely and complete reporting in three areas:
- Reporting of current material cyber incidents
- Regular reporting of the company’s cyber risk management policies and strategies, how they are implemented, and cyber security expertise on the board of directors
- Updates on previously reported incidents
Daniels points out that so far, the SEC has not addressed enforcement, which makes it difficult to predict how compliance will roll out. However, recent SEC penalties may hold a clue. In June 2021, the SEC announced a settlement with a firm that included a near half-million-dollar fine for “disclosure controls and procedures violations.” The firm had reported in proper filings information about a vulnerability that had exposed sensitive information. The SEC, however, claimed that the company’s executives had unknowingly minimized the severity of the incident because relevant staff had not reported to them the full extent of the incident. Then in August of 2021, the SEC announced a $1 million dollar settlement with a firm that it charged had not fully disclosed the severity of a data breach that occurred in 2018.
Cyber due diligence advantages for PE buyers and investment targets
Daniels anticipates the SEC will likely release final versions of its cyber security reporting rules by the end of the year. He suggests that looking ahead, PE firms should use cyber due diligence as a way to quantify the costs it will take to bring a target company into compliance and renegotiate investments accordingly. In addition, he speculated that “the new SEC rules, particularly the emphasis on board cyber security expertise, may provide some assurance that cyber issues will receive regular leadership attention,” further protecting their investment.
Here at Kroll, we know that cyber due diligence can give PE firms visibility into potential issues specifically called out by the SEC, namely security risks and shortfalls in governance, operations and technology as well as undisclosed or unknown data breaches. We have also conducted proactive due diligence for companies looking to be acquired. A company that can provide independent documentation of its cyber maturity can increase its valuation in negotiations. It will also be in a stronger position to get cyber insurance, which can additionally make it more attractive to a PE buyer.
When you think about dealing with estimated cyber losses of more than $10 trillion by 2025 without the cyber insurance coverage of the past, then due diligence is a proactive tool for private equity firms to identify, quantify and manage risk and build a more secure and valuable portfolio.
Keith Novak is a managing director at Kroll, a leading independent provider of risk and financial advisory solutions