Due diligence: Cybersecurity at the portfolio level
Shawn Henry*, president of CrowdStrike Services and the chief security officer of CrowdStrike, Inc., outlines the importance of strong cybersecurity governance at all points in the investment chain
Stay current on your favorite topics
It is now more important than ever for diligence processes to include a company's cybersecurity awareness, processes and defenses.
No one would buy a property without first inspecting it—conducting a full survey before investing hundreds of thousands of dollars. The same is true in the private equity market. Financial due diligence is an established and expected component of every buyout transaction to provide assurance that the business has been accurately valued, is robust and is a viable investment.
It is now more important than ever for diligence processes to include a company's cybersecurity awareness, processes and defenses over its information systems, products and services. Everything companies do today in support of their business is connected to their networks or their critical vendor's networks, and the continuous data flow between them. Digital assets—from intellectual property to corporate strategies and customer data—are stored on networks persistently targeted by a broad spectrum of adversaries. Every desktop, laptop, smartphone, server and router is a potential entry point for a hacker, and there can be hundreds of thousands of endpoints in a single organization.
Many have already begun to take the issue of cyber protection seriously, and we often engage with law firms who understand that cybersecurity is a necessary part of the due diligence process. Some investors, however, still fail to recognize the scope of risk until they face a personal liability or suffer a loss. Private equity funds may not see their portfolio companies as likely targets for cyber attacks or may carry false confidence in the systems in place to defend network environments. These misconceptions can, in some cases, inflict irreparable damage to the company's industry reputation, customer trust, and the overall value of the business.
Our philosophy is that you will never prevent every ingress into your organization's environment. Rather, you need to identify and detect anomalous behavior quickly to mitigate the consequences of an attack before it becomes a breach. We often see adversaries that have breached networks for days, even months, undetected. In some cases, the company may not have even been the intended target but cyber tools and exploits can wreak havoc by proliferating across networks, spreading from organization to organization. In many investigations, we see the supply chain as the entry point for a breach, and this is becoming more and more frequent.
This is why cyber due diligence must be thorough—encompassing technology, processes and people. It should evaluate both the organization's information security function and its leadership, which sets the tone for cybersecurity governance. It should ask: Is the information system architecture effectively structured? Are the risks well understood, and are they reviewed on a constant basis to keep pace with the sophistication of threat actors and their tradecraft? Are the right measures in place to detect breaches, and what is the average response time? What are the policies and processes for connecting with third-party vendors, and does the organization assess the nature and degree of connectivity in the supply chain as a risk vector? There is a vast range of questions to answer in assessing the maturity level of an organization and how it benchmarks against its competitors and established industry standards.
Companies that lack formal cybersecurity risk management processes may be quick to say they haven't had a breach and have no material vulnerabilities. This is often because the company lacks the necessary insight into its potential areas of vulnerability and knowledge of the current cyber threatscape. Once we review them, we often find they either didn't have the capacity to find problems that riddled their networks, or they didn't see a benefit in looking for them, figuring then that they would need to disclose what they found. Ironically, the better companies tend to be those that disclose recent vulnerabilities but have them categorized by severity with a plan in place to address them.
The introduction of the General Data Protection Regulation (GDPR) in Europe this year is a major step toward the harmonization of personal data security, and is forcing businesses to improve their cybersecurity standards and technology defenses. All companies that hold EU citizens' data, no matter where in the world they are headquartered, fall within the scope of the law and risk paying punitive fines for major breaches. Under the GDPR's "security principle," companies are obliged to adopt measures that are appropriate to the risks presented by the nature of their data processing. This includes evaluating how "state of the art" the technology is that is used to protect data and whether it is fit for purpose, a critical part of any valid due diligence process.
Of course, compliance in and of itself is not a security solution. It helps to build a foundation but does not keep up with the velocity of the threat. Substantive regulatory fines notwithstanding, security breaches can have a huge impact on a company's reputation and bottom line, and consequently its shareholders' return on investment. To protect revenue and preserve—indeed to enhance—the value of their portfolios, private equity firms must ensure that the companies in which they seek to invest apply best practice in managing cybersecurity risk and data protection threats.
Cyber M&A risk assessments are now, therefore, essential to avoid significant unforeseen investments to bring an organization's security controls up to an acceptable level. They also give investors peace of mind that companies are equipped to respond to and mitigate the impact of inevitable attacks. Performing a cybersecurity risk assessment within the context of an M&A transaction requires a unique combination of targeted timing and comprehensive analysis activities. Ideally, organizations would gain visibility into the cyber health of the company they want to acquire prior to a transaction. Where this isn't possible, the review should occur before introducing anything from one environment into the other. Tactically, it's recommended that you gain an understanding of the target organization's cyber health from two perspectives. First, assess whether there are any existing compromises or evidence of poor hygiene resulting from malware, policy violations or suspicious activities. Second, assess the cybersecurity capabilities of the organization to understand the relative maturity of the people, processes and technologies in place.
Organizations that take these prudent steps will identify problems sooner, help to mitigate the consequences of malicious activity and minimize risk. Organizations that fail to take due diligence prior to every buyout transaction are, ultimately, exposing themselves to great risk and failing in their fiduciary duty.
* Shawn Henry is the president of CrowdStrike Services, the chief security officer of CrowdStrike, Inc., and a retired executive assistant director of the FBI.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2018 White & Case LLP