Cyber security as a value creation lever in PE 

Cyber security remains a largely under-used and under-optimised value creation lever. This is despite the increase in regulatory focus and the continued devastating impact of cyber incidents.  

The greater understanding of the financial implications of a cyber security attack has resulted in limited partners (LPs) and insurance companies elevating its importance within potential investments. While there is an increased expectation that organisations will have appropriate cyber security capabilities, within PE itself this value creation lever remains largely overlooked.  

Our approach is to encourage the use of light-touch cyber security activities earlier in the deal funnel (alongside existing tracking and sourcing filters), and this is a topic we will cover in depth in our next article. For now, however, we will assume the cyber security input starts in the formal DD phase.  

Understanding the value that appropriate cyber security transformation can have on an organisation and investment is important, so selecting a cyber-DD provider should be a conscious decision. It should give you confidence, meet your requirements, and be conducted by individuals who have done this kind of work before. 

Due diligence is only as good as those who perform it 

It is vital to ensure that experienced, knowledgeable, and pragmatic practitioners are not only responsible for overseeing a cyber-DD assessment, but also for conducting and being part of the assessment process.  

An organisation that tends to allocate tasks to non-specialists may not receive the necessary insights, observations and – ultimately – value that you need as a PE fund to make informed decisions.  

An experienced cyber-M&A practitioner will seek to align its output and the focus of any DD engagement to PE investment committee requirements. The cyber-DD assessment should be as understandable as any other DD, and feed into the PE fund’s existing processes. A cookie-cutter approach to DD with a pre-dictated output will only get you so far, as will the execution of DD by largely inexperienced or inappropriately qualified individuals.  

Once a deal has gone through, the necessary focus should be placed on the asset and how to generate value. Start with the business’s people, especially its leadership. This aspect should already have been assessed in the DD phase with a series of costed findings, but there should also be consideration given to some longer-term cyber security value-creation activities. 

Let’s consider three potential levers, all of which could sit under the banner of ‘cyber transformation’: 

Leadership enhancement 

In the same way as the addition of senior financial leadership in an investment will add maturity, increase rigour, and create value, the same can now be said of cyber security leadership.  

However, with the well-documented shortage of cyber security expertise, it is increasingly difficult for PE firms to ensure they have the necessary cyber security leadership across all investments. It is in this area that services such as portfolio virtual chief information and security officers (vCISOs) and a cyber centre of excellence can provide the expertise required to create the same value as a permanent head of security, but with a significantly reduced-price tag. 

Cyber security as a tool for strengthening trust 

The CrowdStrike incident and its consequences for Microsoft users demonstrated the impact that such a third-party event can have on a brand and its value.  

Conversely, the appropriate management of cyber security and data – including aligning data handling to wider ESG principles – can elevate a brand and increase brand loyalty and trust. Alignment and inclusion of cyber security best practices throughout the organisation help cement the perception of trust, making business growth easier. This is true both during and after an incident.  

Optimising existing processes and asset use 

Cyber security capabilities are frequently dependent on inputs from functions across the business. The result is that, when conducting activities to improve cyber security, inefficiencies and opportunities for wider business process improvements are commonly identified.  

These can be in critical back-office functions such as technology, HR, and finance, but also in revenue-generating and front-office functions such as sales and client onboarding. Consistency, efficiency, and availability are all key considerations for any cyber security practitioner and should be applied wherever the opportunity arises.  Such opportunities must be articulated in a way that demonstrates wider business benefits, but it is often only possible when experienced individuals in cyber security are involved.  

A cyber-DD partner should be able to consider all these issues and advise an organisation on how to accelerate its cyber transformation programme. Now is the time to consider whether you are getting the optimal value, both during the DD phase and for the following period of ownership.  

Thomas Murray’s Funds and Cyber Risk teams operate closely together to ensure that your PE firm gets the breadth of experience and technical knowledge it needs to maximise value from its due diligence and cyber security. Talk to us today to find out more about what we can do for you.