Yet cybersecurity represents the kind of infrastructure support that should be welcome by a portfolio company and recognised as a win-win.
An alternative, which some of the leading PE companies are adopting, is to create a programme for their portfolio companies to implement. The PE company sets expectations for the portfolio companies to manage their cybersecurity risks with the aid of external consultants and counsel.
The portfolio companies, in turn, engage the third parties to conduct a risk assessment, review controls, policies and procedures, and run what is known as a 'tabletop exercise'.
In the tabletop exercise, the portfolio company executives engage in a simulated exercise to understand their cybersecurity risks and practise their response. The result of these risk assessments and exercises is often a roadmap to cyber maturity. While the process starts with rather simple cyber hygiene improvements, it can take years to achieve true maturity.
Regulation
Understanding the importance of cybersecurity and the severity of the current threats is imperative, with global regulators starting to put increasing pressure on financial advisers’ cybersecurity practices.
On February 9 2022, the US Securities and Exchange Commission proposed new cybersecurity rules to regulate private fund advisers and protect investors. These new rules contemplate greater cyber risk oversight and disclosure of cyber incidents.
Regardless of applicability outside the US, these rules represent a growing trend of cyber regulations anticipated around the world in the next few years. If funds will not mature cyber operations without an extra nudge, regulators will add the nudge.
Maturity for acquired companies still leaves open the question of cyber due diligence pre-acquisition. Regulators have fined companies millions of dollars for cybersecurity failures of acquired companies.
PE companies have also suffered millions in losses from acquiring companies that had breaches shortly after the acquisition, well before any new cyber maturity plan could be implemented. Some attacks cannot be anticipated, but cyber due diligence is itself an area requiring maturity.
In the haste to close a deal, cyber due diligence often consists of a review of policies and procedures, with very little true peeking into the target’s controls.
Most acquisition targets would resist a potential acquirer’s request to conduct a penetration test or deploy software into the target’s network to scan for issues.
That is understandable, but other options exist, such as a review of external metrics, incident reports made public, and cyber-threat intelligence.
Additionally, spending time in interviews can often shed more light on the real cyber maturity of a target and allow acquirers the opportunity to ask pointed due diligence questions following a document review.
