Cybersecurity Is A Key Deal Component For Private Equity (PE) Investors
The threats of security breaches involving personal and financial data are a constant concern to corporate America. The costs to a large corporation of addressing a major breach can reach $1 billion and include investigating the cause of the breach, fixing the breach, legal fees, customer reimbursement and damage control. Reputational damage can last for years and can substantially increase the long-term costs. Private equity investors need to focus on these issues both in a pre-deal and a post-deal context.
Once a target has been identified, acquirers are generally focused on financial and business due diligence. However, issues of cybersecurity must also be analyzed at this juncture and cybersecurity issues themselves may have significant financial implications. PE Investors may have been advised to perform technical testing, aka “friendly hacking” to determine if the target has any major weaknesses that can easily be breached. However, a more sophisticated approach—one that includes a substantial cyber maturity analysis—is advised.
A cyber maturity framework is key
Determining how “hackable” a potential acquisition target may be is really only one step in analyzing cybersecurity posture. To truly understand cybersecurity issues in a deal context, investors should consider a comprehensive cyber maturity analysis that examines all key areas that may impact cybersecurity risk. These include issues related to:
- Legal and regulatory requirements;
- Operations and technology;
- Leadership and governance;
- Human resource issues;
- Information risk management; and
- Business continuity and crisis management.
Regulatory concerns also might arise in a deal context. For example, if a PE fund owns a non-regulated entity, such as a grocery chain and is considering purchasing a regulated company, such as a pharmacy and integrating it, additional regulations surrounding privacy, record keeping, and information protection will likely apply.
In addition to understanding the technical and operational components, as well as the costs, cultural and human resource (HR) issues are another important cybersecurity component. HR concerns may potentially have a significant impact on the success of a cybersecurity plan and the ultimate success of the deal. For example, if the company being purchased is a start-up or a smaller company, its initial business focus may value agility over security. Part of the pre-deal due diligence should analyze these concerns and include a communication plan to help ensure buy-in from the target’s employees around required cybersecurity upgrades.
Before a deal closes, the PE fund should develop an integration plan that addresses cybersecurity and includes a cohesive strategy for systems, resource and process integration. While it is ideal to have a fully integrated cybersecurity program in place on Day One post-deal, at a minimum PE funds should identify, prioritize and address their most critical tactical remediation items to an acceptable level information protection risk, as defined by the acquirer.
Some of the key issues that should be evaluated and addressed within a reasonable time period post-deal include developing a security strategy, implementing tactical and strategic tools and processes to manage information governance, and revisiting the structure of the information security organization. As the integration progresses, the integration team also should initiate a targeted review to monitor the cybersecurity posture of the merged entity on an established schedule.
Information is a strategic asset, and the ability to effectively protect this information will continue to grow as a factor to analyze, value in the pre-deal stage and protect after the deal closes. In order to do so, due diligence must include a comprehensive cybersecurity analysis. As with most important deal concerns, cybersecurity issues should be investigated early, evaluated thoroughly, and included in any post-deal integration plan.
Authors: Mike VanDenBerg and Orson Lucas, Cyber Services, KPMG
KPMG is an AIC Tier 2 Associate Member