By Ian Bagshaw, Partner and Steven Chabinsky, Partner, White & Case LLP
Cyberattacks have become one of the biggest threats, not only to business but to society at large. Cybercriminals, hacktivists and nation states are now capable of deploying malicious code to bring down everything from corporates to critical infrastructure in an instant. As we become more dependent on connected devices, cyberattacks have the power to bring entire sectors to a standstill.
Government and regulatory focus on the issue is clear, reflecting the severity of the issue. It has been predicted that the new Interpol president, Kim Jong-yang, will push for an increased focus on tackling transnational cybercrimes, while MPs in the UK are urging the Government to act with more urgency in response to the growing cyber threat from hostile states.
Of course, it’s not only external threats that require attention. Companies also need to be careful of “the threat from within”. The security of a company can be compromised by well-meaning employees who are negligent, reckless or otherwise are duped into violating security, or by an employee who has become disgruntled, who is being extorted, or who chooses to act unethically for personal profit.
One of the main challenges around cybersecurity is the constant changing nature of threats. Companies must regularly refresh and review their cybersecurity processes in order to keep up, and failure to do so will put them at greater risk of suffering material damage from an attack. All of this is particularly important for private equity firms, where cybersecurity issues present both a threat and an opportunity.
As attacks grow more pervasive and sophisticated, investors have come to recognize the urgent need to ensure that assets are well protected, and that cyber risk is managed effectively. This was thrown into sharp relief when the disclosure of two data breaches reportedly led to a US$350 million discount on Yahoo’s US$4.8 billion asking price when the Internet firm was acquired by Verizon last year.
In private equity, the loss or gain of value is what determines a firm’s success, and so understanding cyber risk has never been more important.
The very largest private capital firms are responsible for the management of hundreds of billions of dollars across a range of asset classes, and store sensitive client data and communications. If they were so unfortunate as to be the target of an attack, it could have a long-term impact on the reputation of the firm, hindering future business opportunities.
Arguably, of even more pressing concern, is the defensibility of portfolio companies. Cyberattacks can ruin a business’s reputation, cost it clients, customers and suppliers, and ultimately result in lost revenues and earnings.
A survey by Coller Capital found that private equity firms’ limited partners are already thinking about this, with 55 percent of investors saying they will require their general partners to undertake cybersecurity risk assessments for their management companies, and 45 percent requiring the same assessments at the portfolio level.
Encouragingly, we are seeing private equity firms and other acquirers increasingly prioritize cybersecurity in due diligence processes, particularly where it intersects with data privacy issues. For instance, data porting, such as the transfer of credit card details from one company to another in retail M&A situations, is being thought about more judiciously than ever before.
Private equity funds are taking a risk-based approach and understand that boilerplate approaches to cyber risk are ineffective. Certain sectors—including healthcare, infrastructure, and transport and logistics—not only face greater disruption if they are attacked in ways that extend well beyond data loss, including the potential loss of business continuity and even the loss of life, but are exposed to higher reputational and value downside if they fall victim to breaches.
We understand that due diligence must go beyond law and regulations. Since often the only legal requirement is to have reasonable security under a risk management framework, the real diligence is in understanding the ways in which an individual company is exposed to cybersecurity risk in a practical, commercial, real-world sense. Diligent acquirers price risk into their acquisitions. Just as private equity firms must understand the cyber risk profile of investment targets when they evaluate deals, they can also use hands-on management to improve cybersecurity governance at their investee companies, making them more saleable prior to exit.
As the services of cybersecurity firms have become indispensable, we also see that private equity is taking a keen interest in this niche of the technology sector, its recurring revenue models and growth potential, representing a compelling source of investment returns. Over the past few years we have seen more private equity firms make large investments in companies operating in the cybersecurity space.
As corporations and governments focus ever more attention on the scale of the cyber threat and their vulnerability, private equity is at once assessing its own exposure while spinning this threat into an opportunity.
This article is an excerpt from White & Case Private Equity Viewpoint magazine, Issue #2: Cybersecurity: At the crossroads of risk.