Private Equity Firms Need Cyber Due Diligence
Verizon’s pending acquisition of Yahoo highlights a substantial risk faced by all private equity firms: how much cyber risk will the next transaction add to their portfolio?
Yahoo’s recent disclosure that company staff had known about the largest breach in history begs the question: what, if anything, was the C-suite doing to manage cyber risk? What, if anything was the Yahoo board doing to oversee cyber risk? And if the largest breach in history had come to light after the transaction was closed, what would the effect have been on Verizon’s earnings?
“In addition to possibly scuppering one of the year’s biggest deals, Yahoo’s gigantic security breach has led to a plethora of federal, legal, state, and local investigations; and 23 class action lawsuits from consumers.”
NBC News, Nov. 10, 2016
When I spent several years doing acquisitions for a public company, we executed a detailed due diligence process. During the largest deal, a $200M transaction, a team of accountants, attorneys, and executives spent an entire week in a luxury hotel poring over thousands of documents from dawn to midnight. Our objective was to identify potential risks that could affect the valuation and prevent the deal from being accretive to earnings (e.g., poor financial reporting, poorly written contracts, inadequate business processes).
A private equity firm faces substantial risk when adding new investments to its portfolio, and undetected risk can negatively impact investors. Cyber risk represents a major threat to valuation through potential lost revenue, derivative lawsuits and regulatory actions, and reputational damage. How can a private equity firm protect itself from adding substantial cyber risk to its portfolio?
The answer is obvious: evaluate the target company’s cyber resilience as part of the due diligence process. For both boards of directors and acquirers, cyber risk should be handled and managed in the same manner as other types of risk. The Audit Committee of the board is tasked with identifying and mitigating various forms of risk that threaten shareholder value, and cyber risk must be on the list. Similarly, acquirers like PE firms need to identify any and all risks to valuation during the due diligence process, and cyber risk must be included in their analyses.
“Cyber risk is measured by comparing a company’s operational processes against some form of standard and reporting the results. How it’s accomplished varies, including the standard chosen, the manpower consumed, and the credibility of the resulting report.”
Cyber risk is measured by comparing a company’s operational processes against some form of standard and reporting the results. How it’s accomplished varies, including the standard chosen, the manpower consumed, and the credibility of the resulting report. If Joe Fred Consulting compares the company against its spreadsheet list of detailed questions, credibility of the resulting report rests upon the consulting firm’s reputation for its cybersecurity expertise. Using proprietary checklists leaves boards and PE firms open to criticism from, and even actions by, shareholders if a subsequent breach occurs, even if they employed a credible consulting firm.
Assessing cyber maturity against a widely recognized standard is a much safer option for due diligence. The Cyber Security Framework (CSF) developed by NIST is by far the most often recommended benchmark, and it should be adopted as the foundation upon which to build a cyber risk assessment. It was developed by experts, is hailed as the gold standard in the U.S., and is gaining considerable interest outside North America.
The level of manpower consumed during an assessment is another key issue for PE firms. After signing a letter of intent that defines the planned transaction, the typical due diligence period is 60 to 90 days, and a cyber risk assessment must fit within that period. Traditional one-time cyber assessments involve hiring a large consulting firm with its own proprietary checklists. Large numbers of analysts fan out across the organization to gather information, and in the end, a comprehensive report based on the checklists is delivered.
This traditional approach isn’t practical for a pending acquisition. It takes too long to fit within the due diligence period, the additional temporary staff introduced are disruptive to operations, and the process can raise suspicion among employees about a pending transaction.
An automated process based upon recognized standards like CSF, HIPAA, and FFIEC is the optimal answer for assessing cyber risk during due diligence. Automating with a SaaS platform based on these standards enables completion of a comprehensive, organization-wide assessment within 30 days. The manpower consumed is minimized, and the credibility of the result is maximized.