Securing Your Investments: Why Cybersecurity Matters for Private Equity Investments1

Securing Your Investments: Why Cybersecurity Matters for Private Equity InvestmentsBy E.J. Yerzak, CISA, CISM, CRISC and Mike Farrell, CISA, CISM – CSS Cyber IT Services

Would you buy a car without taking it for a test drive? It seems obvious you would want to know the vehicle has all its parts, and that those components work together to make the vehicle operate properly. Unfortunately, in the world of private equity investing, advisers may be doing exactly that, investing in a business before taking it for a proverbial test drive to evaluate the number one risk facing any firm today: cybersecurity.

To be fair, private equity advisers conduct substantial deal-related due diligence prior to deploying fund capital into a privately held business. But at the end of the day, how much of that due diligence is driven by the current financials, EBITDA, revenue forecasts, and competitive advantage? What attention, if any, is given to the information security posture of the organization? Cyberattacks on public companies make all the headlines, and it may surprise some to hear that companies of all shapes and sizes are at risk of a cyberattack or data breach. A single cyberattack or breach could put a small to mid-size company out of business once cybersecurity forensics and legal expenses mount, with drastic consequences not only for the business, its clients and employees, but also to the fund’s valuation and the investment adviser’s bottom line. As the annual Verizon Data Breach Investigations Report reveals, incidents and breaches are occurring in just about every sector, from healthcare and manufacturing, to retail and professional services firmsi. While larger organizations may have a bigger target on their backs, small to mid-size organizations tend to have a similar wealth of valuable data but fewer resources devoted to protecting it. Fully understanding a business’s risk profile prior to closing a deal can help mitigate the potential for unwanted surprises, as Verizon itself discovered during its acquisition of Yahoo! when a prior, undisclosed breach of Yahoo! came to light.

The Yahoo! breach resulted in Verizon reducing its valuation of the investment by $350 million, proving just how much impact a cyberattack can have on a seller’s ability to price attractively, and a buyer’s willingness to pay.

Understanding the cybersecurity risk of a portfolio company investment is not just critical at the initial deal stage, it is equally important throughout the life cycle of that investment, as it can alter the valuation of the portfolio company at any time, including at the exact moment a fund is looking to exit. That car you took the time to test drive and put through the paces before buying? It also needs regular tune-ups and maintenance to obtain assurances it won’t break down when needed most.

Private equity advisers strive for attractively valued opportunities with predictable revenue streams, not unwelcome surprises in the form of preventable cybersecurity incidents – and they are in fact preventable. The majority of incidents stem from exploits of published vulnerabilities with readily available fixes that were simply not yet implemented by the organization. Identifying these vulnerabilities during initial deal due diligence and staying abreast of them throughout the fund’s life cycle is key to avoiding cybersecurity surprises.

The standard in regulatory compliance

Securing Your Investments: Why Cybersecurity Matters for Private Equity Investments2

Putting Your Shield in PlaceCSS’ Cybersecurity services empower organizations to adopt a focused and business-driven approach when managing and mitigating their IT risks. As businesses embrace digital, mobile, and cloud-based operating models, the need to protect information security and privacy is greater than ever. Given the rise in cyber-attacks and data breaches, IT risk management has become a top priority.

Shield, the Cybersecurity division of Compliance Solutions Strategies, offers cybersecurity peace of mind to limited partners and registered investment advisers to private equity funds by helping them understand, in layman’s terms, the cybersecurity risk profile of their investments. Our experienced consultants have achieved numerous cybersecurity industry certifications and have been assisting advisers and investors for over a decade in identifying and managing cybersecurity risk effectively, efficiently, and with a practical approach that lets you focus on managing the business and the funds.

The process begins with a cybersecurity gap analysis, a detailed review of current cybersecurity policies, procedures and controls in place at the firm. Consultants use existing policies and procedures to build an initial risk profile of the firm, identifying key risk areas to focus on during the on-site visit. While on site, consultants gather additional information through interviews, observations and access control testing. Employee awareness of social engineering risks is repeatedly tested through email phishing campaigns followed by training modules geared towards reinforcing key cybersecurity topics. Firms looking for a deeper assessment of underlying vulnerabilities can also opt to supplement their cybersecurity risk analysis with a technical assessment including network vulnerability scanning and network and web application penetration testing. Shield provides a comprehensive cybersecurity review of your existing portfolio holdings and can be used to supplement your due diligence of an investment prior to closing the deal, enabling advisers and limited partners to focus on what they do best – deploying capital and managing the portfolio.

What Does Portfolio Company Cybersecurity Due Diligence Look Like?A detailed evaluation and assessment of cybersecurity controls should be an essential part of any initial deal due diligence, and an ongoing process thereafter. While other aspects of the diligence process such as key metrics and performance indicators, seasonal impacts on revenue, and competitive advantage can vary based upon the sector and the specifics of the deal, cybersecurity is largely industry-agnostic because every business is trying to deal with the same cybersecurity risks.

Cybersecurity can be viewed as a three-legged stool, resting upon the following three legs:

1. Policies and procedures reasonably designed and adequately tailored to a firm’s particular risk appetite

2. Technical controls properly configured to implement those policies and procedures in a manner informed by the organization’s risk prioritization and budget

3. Testing and training which includes cybersecurity testing to validate the effectiveness of the policies, procedures, and controls, as well as testing and security awareness training of the organization’s staff, enabling them to serve as an effective front line of defense against phishing, malware, and other threats.

A strong cybersecurity program therefore takes into consideration processes, technology, and people. Take any one leg away, and the cybersecurity program falls flat. Policies and procedures are only effective if they are followed and comprehensive in scope to address relevant risks. Technical controls may have been effective when first implemented, but threats evolve at lightning speed and countermeasures must keep up. Cybersecurity testing, including vulnerability scanning and penetration testing, can help to obtain assurances about the effectiveness of a firm’s defenses by revealing network risks to a firm while there is still time to plug the holes, before a hacker finds them. Finally, social engineering testing campaigns and robust security awareness training can help to identify vulnerable staff and bring them up to speed on how to spot warning signs of phishing and other tactics.

A strong cybersecurity assessment conducted by a reputable consulting firm may also help portfolio companies to save on cybersecurity insurance policy premiums.

CSS

031

9v1.

1 U

S

i 2018 Ver izon Data Breach Invest igat ions Report, 11th Edit ion - Enterprise.verizon.com

compliancesolutionsstrategies.comThe standard in regulatory compliance

www.cssregtech.com/products/shield/

For more information on CSS Shield services, visit