Private equity must prioritize cybersecurity
Strong cybersecurity governance is increasingly critical at all points in the investment chain
Cybersecurity breaches can destroy a company's reputation and severely damage its bottom line—and consequently, investors' returns. The effects of a breach may not be immediately apparent, and acquirers purchasing companies that have been breached may find that they have bought into a thicket of cyber threats.
To protect themselves, private equity firms must ensure that their due diligence processes include assessments of cybersecurity risks on potential portfolio companies. Those that do can minimize the threat of acquiring cyber issues that must later be fixed, often at great expense. Having a clear process in place will also reassure their own investors.
The EU's General Data Protection Regulation (GDPR), implemented in 2018, offers further incentives to boost cybersecurity standards and technology defenses. All companies that hold EU citizens' data, no matter where in the world they are headquartered, are subject to the law and risk fines for major breaches. Under the GDPR, companies must adopt measures appropriate to the risks their data processing activities present. But compliance alone is not a security solution.
Assessments should address existing compromises, policy violations or suspicious activities, and the organization's overall cybersecurity capabilities. Issues to consider include:
- Is the information system architecture effectively structured?
- Are the risks well understood, and reviewed constantly as sophisticated threat actors advance?
- Are the right measures set up to detect breaches, and what is the average response time?
- What are the policies and processes for connecting with third-party vendors, and does the organization assess the nature and degree of supply chain connectivity as a risk?
Ideally, organizations would understand the cyber health of any company they want to acquire before completing a transaction. When that isn't possible, the review should occur before post-purchase integration enables issues to spread from the portfolio company to the private equity firm or to other companies in its portfolio.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP