The merger and acquisition (M&A) world has developed an appreciation for a sophisticated and tailored approach to cybersecurity. Cybersecurity due diligence as a core stream for buyside investors is a growing area, which reflects a deeper understanding and appreciation of the fact that poor cybersecurity presents a significant risk to organisations and investors.

The McPartland Review of Cyber Security and Economic Growth, to which Thomas Murray contributed, released its final report and recommendations this May. In it, the Rt Hon Stephen McPartland MP notes that cybersecurity is the corner stone of a digital society, and makes the clear link between economic growth and cybersecurity and the need for ever-more robust cybersecurity measures – including due diligence.    

Your cyber expert
Edward Starkie
Edward Starkie

Director, GRC | Cyber Risk

estarkie@thomasmurray.com

The Bank of England, too, in April highlighted the importance of banks managing risk across their investments in private equity. In a speech addressing the PRA’s thematic review of private equity financing risk management frameworks, the BoE’s Rebecca Jackson expressed concern about the management of credit risks across the sector and the exposure of banks to potential monetary shocks. It is a small and logical step to suggest that the management of cybersecurity risk in PE backed entities may soon be a focus for increased scrutiny.  

Yet, despite this increasing emphasis on cybersecurity and the part it plays in the economy, there are still some widely held misconceptions about its role in the M&A process. This knowledge gap creates common pitfalls and missed opportunities for investors – both in terms of optimising their investment, and in terms of getting a detailed picture of how a potential investment manages a key business risk.   

Common misconceptions 

  • “Heavily investing in the latest AI tooling ensures protection.”  

It is natural for dynamic organisations like private equity firms to be drawn to what is new (and frequently shiny) without implementing them in a manner that means they are optimised. That means we frequently deal with cases where a business has mismanaged the use of new technologies and thereby exposed itself to additional risk. Artificial intelligence is a classic example. 

  • “Data protection due diligence addresses cybersecurity concerns.” 

Including data protection in a due diligence process is a good idea, however it often does not include a broader consideration of specific cybersecurity risks and controls. (As a side note, all too often we see a black-and-white approach adopted by lawyers in this space – ignoring the realities that businesses will (and should) adopt a risk-based approach.)  

  • “IT due diligence is enough.”  

Perhaps there might be some minor cross-over between cyber and IT due diligence, but in my experience a lack of specialised cyber due diligence means that the process is usually limited to things like backups of data and the security of network devices. Cyber due diligence should be driven by the relevant cybersecurity context (i.e., an understanding of the threat landscape).   

  • “The target has ISO 27001, so that’s proof they are secure.”   

This assumption is one I run up against all the time, but telling me an organisation holds ISO27001 is no different from you telling me that you have a 500m swimming badge.  

I don’t know what that badge really tells me about your capabilities. How fast can you go? How tired are you at the end of the 500 metres? What stroke do you use? Being able to manage a leisurely crawl at the local pool is not at all like being able to confidently navigate choppy waters to shore if you have to jump from a sinking ship.  

Likewise, if an organisation has ISO27001, all I can say with certainty is that it has an information security management system in place. Context is key in the world of cybersecurity, something an ISO27001 certificate in isolation does not provide.  

Shifting areas of focus  

It is important to understand that the focus for investors will change at different points of an M&A process.  

Before signing, the key questions will include:   

  • Has a past breach occurred? If it has, what was the extent of it? Who was impacted? Are there any regulatory, business, or operational impacts? And, ultimately, what is the impact of the breach on the value of the investment?  

  • What is the likelihood of a breach occurring in the future? What controls has the target got in place? Does the current capability of the target align with the longer-term aspirations of the business? Is the target’s leadership able to support the secure delivery of value creation underpinned by cybersecurity?  

  • How much will it cost to improve the target’s cybersecurity capabilities to align risk management with the investor’s broader business risk appetite? 

Extracting the information needed to provide the answers to these questions requires experience, flexibility, and an ability to focus on what matters.  

Maximising the value of the due diligence exercise often depends on how quickly the individual conducting the due diligence can form a relationship with those being interviewed. A good due diligence exercise practitioner can rapidly understand the context of cybersecurity within the business, and shape the necessary questions, interviews, and requests accordingly.  

For much of the PE market focusing on SMEs, internal teams have likely been under pressure to deliver appropriate cybersecurity on a tight budget. The widespread use of a binary approach to due diligence undermines the value of the exercise and does not reflect what efforts have been made to address key threats to the business and its value, and importantly what is left to do.  

Juxtaposing a lack of formal evidence and documentation with frequently heard phrases such as “cybersecurity is a key risk to the business” is a useful data point, but what is truly needed is a more nuanced understanding of what cybersecurity capabilities are in place, and the capability of the leadership to deliver change. This requires skills across both the technical and non-technical domains.  

The new broom – leadership and realising the value of cybersecurity 

Once an investment in an organisation has been made, it is common for a period of rapid risk reduction to take place. This should be an opportunity for the team to make quick configuration or technical changes and could involve very direct and non-negotiable control implementation. New investment will likely attract the attention of threat actors and could result in an increase of attacks which will need to be managed. 

Once the short-term program is done, it is ultimately systematic planning, and proactive and sustainable cybersecurity activities that will create long-term value in an organisation. These activities must be informed by threat intelligence and aligned to business strategy. It is common for this opportunity to add value to PE owned organisations to be missed. 

The fact that cybersecurity is not immediately obvious as a mechanism for value creation is perhaps the fault of cybersecurity professionals, and their traditionally high levels of isolationism and detachment from the business and its core objectives. Such a change in attitude, approach, and positioning of cybersecurity within a business is sometimes only possible with a change of leadership. From personal experience, I can say that ineffective cybersecurity leadership frequently places organisations on the backfoot and prevents organisations from realising the full potential of cybersecurity value creation. 

In future editions we are going to discuss wider considerations around cybersecurity concentration risk management at a portfolio level. Stay tuned... 

On 11 June, Ed and Ben Hawkins from our Cyber Risk team will be hosting a webinar addressing the role of cybersecurity in private equity. Save your spot! 

Cyber Risk

Cyber Risk

We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.

Learn more