It is an uncomfortable truth that many funds neglect the need to select a specialist provider when it comes to performing cyber security due diligence (DD).
The dangers of such an approach are considerable, but understandable. The pace of business and investment decision-making limits the time available to private equity (PE) firms to assess their providers and ensure they are maximising the value they get from them. So, the quieter summer months are the perfect time for PE firms to assess whether they have the appropriate cyber security capabilities within their portfolio of investments. If done correctly, cyber security can transform from a cost base to a way of demonstrating value.
Cyber security remains a largely under-used and under-optimised value creation lever. This is despite the increase in regulatory focus and the continued devastating impact of cyber incidents.
The greater understanding of the financial implications of a cyber security attack has resulted in limited partners (LPs) and insurance companies elevating its importance within potential investments. While there is an increased expectation that organisations will have appropriate cyber security capabilities, within PE itself this value creation lever remains largely overlooked.
Our approach is to encourage the use of light-touch cyber security activities earlier in the deal funnel (alongside existing tracking and sourcing filters), and this is a topic we will cover in depth in our next article. For now, however, we will assume the cyber security input starts in the formal DD phase.
Understanding the value that appropriate cyber security transformation can have on an organisation and investment is important, so selecting a cyber-DD provider should be a conscious decision. It should give you confidence, meet your requirements, and be conducted by individuals who have done this kind of work before.
Due diligence is only as good as those who perform it
It is vital to ensure that experienced, knowledgeable, and pragmatic practitioners are not only responsible for overseeing a cyber-DD assessment, but also for conducting and being part of the assessment process.
An organisation that tends to allocate tasks to non-specialists may not receive the necessary insights, observations and – ultimately – value that you need as a PE fund to make informed decisions.
An experienced cyber-M&A practitioner will seek to align its output and the focus of any DD engagement to PE investment committee requirements. The cyber-DD assessment should be as understandable as any other DD, and feed into the PE fund’s existing processes. A cookie-cutter approach to DD with a pre-dictated output will only get you so far, as will the execution of DD by largely inexperienced or inappropriately qualified individuals.
Once a deal has gone through, the necessary focus should be placed on the asset and how to generate value. Start with the business’s people, especially its leadership. This aspect should already have been assessed in the DD phase with a series of costed findings, but there should also be consideration given to some longer-term cyber security value-creation activities.
Let’s consider three potential levers, all of which could sit under the banner of ‘cyber transformation’:
Leadership enhancement
In the same way as the addition of senior financial leadership in an investment will add maturity, increase rigour, and create value, the same can now be said of cyber security leadership.
However, with the well-documented shortage of cyber security expertise, it is increasingly difficult for PE firms to ensure they have the necessary cyber security leadership across all investments. It is in this area that services such as portfolio virtual chief information and security officers (vCISOs) and a cyber centre of excellence can provide the expertise required to create the same value as a permanent head of security, but with a significantly reduced-price tag.
Cyber security as a tool for strengthening trust
The CrowdStrike incident and its consequences for Microsoft users demonstrated the impact that such a third-party event can have on a brand and its value.
Conversely, the appropriate management of cyber security and data – including aligning data handling to wider ESG principles – can elevate a brand and increase brand loyalty and trust. Alignment and inclusion of cyber security best practices throughout the organisation help cement the perception of trust, making business growth easier. This is true both during and after an incident.
Optimising existing processes and asset use
Cyber security capabilities are frequently dependent on inputs from functions across the business. The result is that, when conducting activities to improve cyber security, inefficiencies and opportunities for wider business process improvements are commonly identified.
These can be in critical back-office functions such as technology, HR, and finance, but also in revenue-generating and front-office functions such as sales and client onboarding. Consistency, efficiency, and availability are all key considerations for any cyber security practitioner and should be applied wherever the opportunity arises. Such opportunities must be articulated in a way that demonstrates wider business benefits, but it is often only possible when experienced individuals in cyber security are involved.
A cyber-DD partner should be able to consider all these issues and advise an organisation on how to accelerate its cyber transformation programme. Now is the time to consider whether you are getting the optimal value, both during the DD phase and for the following period of ownership.
Thomas Murray’s Funds and Cyber Risk teams operate closely together to ensure that your PE firm gets the breadth of experience and technical knowledge it needs to maximise value from its due diligence and cyber security. Talk to us today to find out more about what we can do for you.
Cyber Risk
We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.
Thomas Murray cyber alerts
Subscribe to stay up to date with developing threats in the cyber landscape
Insights
The Digital Operational Resilience Act for private equity: All change for the relationship between firms and vendors
The EU’s Digital Operational Resilience Act (DORA) will apply from 17 January 2025.
Time for PE firms to focus on concentration risk
Ed Starkie and Ben Hawkins reveal why concentration risk poses a growing threat to PE portfolios – and why many firms are dangerously unprepared.
An overview of the TIBER-EU methodology
The TIBER-EU methodology is a comprehensive framework designed to enhance the cyber resilience of financial institutions.
Five minutes with the PE cyber experts
Ed Starkie and Ben Hawkins gave us five minutes of their time to run through the current state of cyber security for private equity.