Cyber due diligence best practices for private equity firms
By Amy Gross, Global Private Equity Practice Leader for Liberty Mutual
I am diving into the world of cyber and private equity (PE) over a three-part series that will explore:
- Part I: Cyber due diligence best practices
- Part II: How PE boards can amp up their cyber expertise
- Part III: Playbook for when a cyber incident occurs
First up, cyber due diligence.
Cyber is a complex and constantly evolving challenge for any company but couple cyber risk with private equity activity and the risks can be compounded exponentially. In many cases, private equity firms are challenged by the aggregate risk across their portfolio companies and, if cyber risks are not managed appropriately, there could be extensive exposure and ultimately potential financial loss for investors.
Top four risks to explore during the due diligence process
When it comes to cyber due diligence, there are four areas private equity companies should keep a close eye on:
- Risk profile and systems – what is the cyber risk profile of the company? Are IT systems modern and up to date? Does the company have a clear understanding of all of the IT systems within their scope, including systems that are managed by third parties? Are those systems appropriate for the market that’s being pursued? Are there processes and procedures in place to help protect the systems?
- Human capital – have people been trained on cyber risk? What are the governance processes in place around cyber training?
- Cyber risk management and organizational structure – does the company have cyber risk management procedures? How is the company thinking about cyber from a general risk and controls perspective?
- External risks and threats – have third-party risk assessments and penetration testing been conducted? Have any potential incidents or exposures, such as past breaches or data on the dark web, been identified? Is the company regulatory compliant?
Controls and coverage: the mainstays of PE cyber due diligence
Once firms have identified their cyber pain points, they can then begin to focus on building up cyber programs that can help protect against those risks. These programs should be grounded on two pillars: controls and coverage.
There are foundational cybersecurity controls that most companies should have in place, including:
- Security policies and procedures: ensuring the organization has documented security policies and procedures and ensuring that they are up-to-date and comprehensive.
- Network security: protecting the network where there is access to high value assets, such as customer data or intel on business operations.
- Identity and access management and insider threat management: managing who can have access to what data at what point in time, making sure the right people have access to the right information to execute business processes; helping to protect against malicious internal actors.
- Incident response: ability to identify an incident or potential incident and rapidly respond to that incident.
- Third-party vendor management: understanding what third-party vendors the organization uses, including knowing if the vendors’ security practices have been reviewed; ensuring they are contractually obligated to adhere to the same security standards the organization adheres to.
- Employee training and awareness: ensuring employees know what a phishing or social engineering attack is, what information they should or should not be providing to parties, how roles and rank from entry level to board members can be responsible for cyber.
Ultimately, the cybersecurity controls a private equity firm has in place can dictate coverage, or the insurance piece of a cybersecurity program, whether coverage is purchased or self-insured. Working with a broker, a firm can identify their risk exposures, what limits are needed and help them understand the cyber policy details so they can be aware of what might lie outside of the scope of the policy.
Add-ons can further muddle the cyber puzzle
Add-ons present a unique challenge when it comes to managing cyber risk as cyber is usually not a top three item when it comes to due diligence –– and thus can fall by the wayside. It’s not uncommon for a PE firm with a national growth strategy to acquire a regional add-on company that has no-to-limited cyber controls. And, more often than not, firms are preoccupied with ways to collectively go to market on aspects like the balance sheet, not IT systems, during these types of transactions.
Take this typical approach and situation as a whole and the deal could be ripe for a cyber incident. The key to minimizing cyber risk with add-ons is speedily folding the add-on into the platform company’s systems and controls. It’s also particularly important for firms to not become overly reliant on or neglectful of legacy systems left in place under TSAs, but rather decommission those old IT systems in a timely way.
Cybersecurity and cyber risk are not new. Yet, the need to continue the conversation is still urgent. The risk is evolving rapidly and how private equity firms approach the risk and execute due diligence can have a direct impact on long-term portfolio growth, stability, and reputation.
Liberty Mutual’s dedicated underwriters, close partnerships with our clients and brokers, and expert mitigation and claim resources help us deliver cyber liability solutions appropriate to the individual needs of companies across geographies and industries.