Key data security considerations for PE groups
Private equity firms are having to double down on cyber risks in the current climate, as hackers exploit the chaos caused by Covid-19 to target PE-backed companies with ransomware attacks. In a recent Bloomberg article, the point was made that as many PE owners have deep pockets, they are a prime target for ransomware attackers, especially those driving operational efficiencies to improve a company’s P&L position; this can, in certain circumstances, lead to stripped back cybersecurity operations.
As Mike O’Malley, vice president at Radware, told Bloomberg: “You’re telling attackers you’re going to inject a large amount of capital into a company that presumably has valuable intellectual property,” adding, “It’s like giving them a road map to the pot of gold.”
Investment managers will always approach cyber risk, and how they protect data, in their own idiosyncratic way. Often it comes down to operating budgets and how much senior management are willing to commit to embracing sound cybersecurity best practices. This does seem to be changing, as private equity investors double down on cyber-related risks as part of their ODD process.
Dannie Combs is SVP and CISO at Donnelley Financial Solutions (‘DFIN’). He concurs that ransomware attacks on PE-backed companies is certainly an area of increasing risks, especially during the acquisition process.
“Bad actors watch these trends very closely, and exploit them,” says Combs. “With respect to PE firms in particular, one of the most common questions we get asked is, ‘How should I look at cybersecurity?’
“They need to protect not only their own organisations but it also needs to be a top-line item as part of their investment due diligence process. Whether they do this internally, or hire a cybersecurity firm to help conduct a technical assessment of the target company, that risk needs to be understood.
“If you go back to the Yahoo, Verizon deal, the economic impact that Yahoo’s breach had on the valuation of that deal was enormous.”
The attack in question happened in 2017. Although the deal went ahead, the original USD4.8 billion purchase price made by Verizon Communications ended up being discounted by USD350 million.
PE firms operating in the large-cap M&A space with billions of dollars in capital commitments are leaning on trusted technology partners and cyber specialists to keep sensitive deal information as watertight as possible, as they cast an eye back to the financial impact felt by Yahoo.
This is helping to not only protect their investment interests but also, crucially, how PE managers assess the cyber risks of target companies at the pre-deal acquisition stage.
According to Paul Harragan, director of cybersecurity at the operational transaction services department of EY, large-cap firms have definitely adopted cybersecurity earlier than mid-market firms “and I would estimate 75 per cent of the PE industry now takes cybersecurity very seriously”.
“It’s now a board agenda topic,” he says, “and it applies across the investment lifecycle, with regular reviews of their portfolio companies. Part of this is being forced by insurers and other market influencers.”
“Cyber controls must be, and generally are a board topic,” says George Ralph, Managing Director, RFA (UK). “Most of our clients globally take a risk mitigation approach to cyber risk and implement a fully informed risk impact strategy. They want to implement the very highest level of cybersecurity to ensure that their data and that of their portfolio companies is protected.”
Cybersecurity has become a critical component of due diligence for all the reasons one can imagine; everything from compliance risk to intellectual property risk and legal liability risk. If one buys a company that has been hacked and a huge data breach emerges, even if that breach started before you became the owner, the risks of liability, financial fines and reputational damage are huge. Reps and warranties can help but they aren’t a complete solution.
“If a company’s intellectual property has been compromised, you may find yourself buying something that is completely worthless,” comments Andre Pienaar, founder and managing partner of C5 Capital, one of the UK’s leading cybersecurity investment managers. “Many of the clients of our portfolio companies are PE groups, who all practice extensive cybersecurity due diligence, both pre-transaction as well as running comprehensive cybersecurity programmes for their own portfolio companies.”
One of the leaders in this field is Permira. They have set best practices and a gold standard for both cyber due diligence before they invest and maintaining good cyber hygiene in their portfolio companies during the investment management period.
Harragan believes that cyber risk is a topic that can no longer be ignored. In his view, it has the potential to adjust the EBITDA of a deal, but it can also be used as a value creation proposition quite strongly.
“When it comes to selling a portfolio asset, if you can evidence cybersecurity being controlled and invested in throughout the investment holding period, it is going to add value.
“If we do cybersecurity due diligence pre-deal for a client and we identify, for example, 15 risks, of which two are high, we advise the deal team to add the risk remediation activities to be written into the term sheets, suggesting that these two high risks be mitigated within the first six months of ownership. And thereafter, perform a pro rata review,” explains Harragan.
Covid-19… a black swan event
The threat landscape is constantly evolving, and business operating models change. It’s not like a PE group can do a one-off risk assessment. They need to threat model the future to make sure they have the mechanisms in place to handle any inbound risk over the duration of the investment.
Assessing cyber risk is essentially a form of threat intelligence, which firms like EY and others can provide. Who would have predicted the threat landscape created by Covid-19; it was a completely random ‘black swan’ event.
Firms not only have to deal with risks to protect the perimeter of their offices but as their operating models adapt to the current climate they are now having to support potentially hundreds of staff working remotely, beyond the perimeter.
“We work closely with clients to mitigate the risks associated with remote working, which are numerous,” explains Ralph. “The key risk right now is that the change in operating model is of course public and the timelines were and are tight. Attackers are taking advantage of the chaotic situation and that people’s emotions are running higher to exploit. A key priority is user training and increasing their vigilance. Identifying and reporting suspicious emails is crucial.
“At the company level, deploying centrally managed security systems, which continually monitor and protect the endpoints, are a good idea. Clearly, ensuring communication with staff, investors and regulators about impactful policy and operating changes are also important, there can be no ambiguity around best practice and company expectations.”
“Attackers can hide quite well and there is evidence they are exploiting users’ home networks. Even though you might have great firewalls in your business, the infrastructure you have at home is far less secure and not managed by the employer.
“Cybersecurity teams are having to adapt and pivot to the new operating model which widens the threat landscape they have to protect,” says Harragan.
According to ThreatCloud, a live cyber threat tracker launched by software technology company Check Point, close to 90 billion attempts at compromising data security occurs globally on any given day. Compare this with the approximately 6 billion searches people conduct on Google every day.
The recently published study called Cyber Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards, published by the National Association of Corporate Directors (NACD) in partnership with the ISA, says that the very first principle for board cyber-risk oversight is understanding that cybersecurity is not an IT issue – it is an enterprise-wide risk management issue.
According to the Cyber Security Breaches Survey 2019, published on www.gov.uk, more than a third of UK businesses identified cybersecurity breaches or attacks in the last 12 months. Among the companies identifying breaches or attacks, 32 per cent needed new measures to prevent future attacks. Nearly half of businesses (48 per cent), identified at least one breach or attack a month.
Incorporating security early
New research by EY reveals that almost two-thirds of companies are failing to incorporate cybersecurity at an early stage as they focus on tech-enabled transformation projects and innovation.
Early findings from the latest EY Global Information Security Survey (GISS) reveals that just 36 per cent of cybersecurity teams are asked to play an early and integral role in such initiatives.
In Harragan’s view, given that risk control is very fragmented today, transparency is one of the critical points for investors in terms of realising the highest return on investment. Different houses handle risk differently, as some PE firms take a high risk profile approach while some don’t.
“Before you go into the due diligence process, you have to formulate a risk assessment criteria with your investor, where you position this as a baseline against industry best practice and the investment hypothesis, which outlines how capital will inject and evolve the risk landscape,” he says.
Referring to the EY figures cited above, Pienaar feels that not enough GPs have invested in appointing and recruiting a CISO. In his view, it has become an essential role in any PE or VC investment firm.
“At C5 we have our own dedicated Chief Information Security Officer (CISO), who focuses on the cybersecurity of our business. We have agreed metrics in place to measure our cybersecurity performance, and our CISO reports on these to me, as the CEO, on a weekly basis, and to the wider board every month. We also regularly review the cybersecurity performance of each of our portfolio companies, and we encourage best practices on a peer-to-peer basis between the CEOs of our portfolio companies,” comments Pienaar.
He says that in respect to transparency, knowledge sharing is important. “At C5 we have a cyber resilience programme for our LPs, through which we help ensure our LPs are at the cutting edge of cybersecurity innovation. We also have cybersecurity as a standing item on the agenda at board meetings with all of our portfolio companies.”
Having that alignment in place, both at the GP board level, and the portfolio company board level, is key to ensuring PE/VC groups are able to stay one step ahead of the game and demonstrate to regulators and investors alike that data security is a central tenet of their operating model.
Good security needs good metrics
Good data security practice also relies on having clear metrics in place, as part of on ongoing review model.
One of the tools that has become very useful for cyber due diligence and also for monitoring cybersercurity in an investment company is cybersecurity ratings.
“This is an independent external scorecard assessment, and there are a number of these product offerings now in the market. It is basically a cybersecurity equivalent of a credit rating. One of these ‘outside in’ assessments looks at network security, website security, what is the internet traffic going into and out of the network, what is the cadence of patching software and so on. These sorts of arrangements have become of critical importance to be a sustainable PE/VC investor.
“As someone in my own right as an LP, I wouldn’t invest in anyone without knowing they have these sorts of best practices in place,” argues Pienaar.
John Eggleston is the CTO at Pantheon, one of the industry’s leading PE investment groups. He stresses that data security risks are always front of mind and continue to form a material part of Pantheon’s ODD processes.
“As I speak to you, the industry is indeed seeing increasingly sophisticated cyber attack attempts, and although this is not a new pattern, there is a pronounced step up in volume with millions of home-based workers. As new ways of combatting cyber risks are invented, criminals find new routes; accordingly, cyber security is an area where it’s important to be on the frontline at all times, and where companies like Pantheon necessarily have to focus on continual enhancement.
“Clearly technology risk mitigation needs to be highly robust. Pantheon ensures robustness from a threefold perspective, whereby we consider the confidentiality, integrity and availability aspects of the data we hold.
“In terms of incoming data, we undergo regular audits from clients, our parent company and regulators globally, in addition to tests and verification which we commission internally. Together, these ensure that we have appropriate levels of check and balance, and help us to focus where there might be areas for further enhancement or adjustment.
“As regards outgoing data, we focus on due diligence of our vendors where our vendor management processes include a focus on their cybersecurity as well as other third party risks. This isn’t just technology verification, but a wider, cross-departmental approach including, for example, our Risk and Compliance teams.”
Understand vendor risk
The point Egglestone makes about vendor due diligence is an important one. While PE groups are still getting up to speed in respect to embracing technology, those that are doing so must remain mindful that when using outsourced cyber risk and other IT vendors, they are not, by extension, outsourcing their responsibilities.
As such, understanding the cyber credentials of any vendor is just as important as understanding the financial health of a portfolio company.
As DFIN’s Dannie Combs explains, the stakes to getting this wrong today are just too high; not just for PE groups, but any investment management company.
“I believe it is paramount that we hold any third party data vendor or technology partner, particular if that partner is entrusted with confidential information, and that we hold any third party vendors accountable for demonstrating their commitment to data security,” says Combs.
“Virtually every one of our clients has demonstrated either a renewed commitment to security or a sharp increase in their expectations of security. The majority of our clients measure our commitment to security as part of their pre-sales process when selecting their preferred technology partner.
“On an annualised basis, the majority of our clients want to make sure we haven’t lost focus, and that we continue to do what we said we would do as part of those early discussions. We have annual audits, our incident response plans are reviewed, and we refresh our cybersecurity policies and procedures to ensure they are properly aligned with the evolving threat landscape.”
Credential theft going through the roof
Exploitation only happens when best practices are not being adhered to. This means PE groups must adopt a culture of good hygiene, driven from top management down, so that all employees understand the seriousness of how they use and share data internally with colleagues, and externally with service providers and investors.
Malware and phishing attacks continue to become more sophisticated and more automated as bad actors avail of the very same cutting edge technologies (machine learning, natural language processing, etc) being used by industry participants. Credential theft is designed to target human vulnerability; it can happen to anyone at any time.
As one cyber specialist observes: “There is now so much credential theft happening in the marketplace. These are being sold on the dark web, where sales have gone through the roof. I’ve seen some pretty sinister phishing campaigns being sent out to target firms.”
“If you conform to best practice and your business adopts the policies set by its cybersecurity leadership using multi-factor authentication, encryption methods and scalability contingencies then businesses will be able to handle this,” explains Harragan.
“However, based on my pre-deal cybersecurity due diligence experience for PE firms, I rarely see any contenders of top grade. No one scores perfect in all aspects of data security. There’s always maturity to be gained in all businesses, putting in place the correct control mechanisms that suit their operating model rather than what the industry tells them to invest in.”
At Pantheon, Egglestone stresses the importance of taking a holistic approach to data security, which centres around the three pillars of people, process and technology.
When considering data security specifically, all three of these must be robust to ensure effectiveness, he says, as comprehensive technology solutions alone are not enough to keep data secure.
“Now that our global team is working from home under our BCP, their vigilance is more important than ever. It is entirely correct that there is a market drive to increase investment transparency and receive a more granular level of detail. This is where, in addition to technology safeguards, the people and process elements come in.
“As well as comprehensive technology controls and data integrity checking, these increased requests arrive into a broader cross-section of teams around the business. This is where Pantheon’s focus on process governance, user training and regular cyber awareness testing plays an important role. Pantheon not only fully recognises the evolving landscape of data security risk, but prioritises that mitigating this risk must be an integral part of everything that we do. Our approach is to combine consideration of data confidentiality, integrity and availability with an overlay of mobilising our people and technology to ensure effectiveness.”
To conclude, one of the unexpected benefits to data privacy and security has been the introduction of General Data Protection Regulation (GDPR) in the UK and Europe, which has quickly become the leading regulatory standard. This has certainly helped focus the minds of CEOs and pushed cyber risk from becoming merely an IT issue, to very much a business critical issue.
Fines have been introduced, and companies are now far more aware of their data security responsibilities but as a final remark, Harragan comments: “What companies are struggling to forecast and calculate is there isn’t a metric to understand brand damage at the moment to quantify it. If a company is breached it could lead to millions of dollars in IT upgrades or re-engineering software and customers choosing to boycott the brand; so there are other financial penalties to be taken into consideration over and above what the regulations impose.”