What PE Firms Should Look for When Doing Cyber Deal Due Diligence

Are your private equity deals safe from cybercriminals? The answer is very much ‘no’.

Deals are being compromised, money is being lost, and reputations are being affected.

The recent Thomas Murray webinar The Art of the Hack: How Cyber Criminals Are Targeting Private Equity, saw PE expert, Ed Starkie, and ethical hacker, Hassan Mahmud, discuss vulnerabilities, attack methods and – importantly – everything you need to do to protect deals in the current environment.

Here are their five top takeaways for dealmakers:

1. Make it harder for hackers  

Firms must put more obstacles in the path of hackers. Currently, the biggest single obstacle you can put in their way is multi-factor authentication (MFA) or two-factor authentication – as that significantly slows down attackers. It doesn't stop them, but it makes it more difficult to implement and automate an attack. MFA is one of the key things for any consultant or advisor in the PE space to consider.  

Invest in people, culture, and training. Social engineering is a huge part of any attack (exploiting the human element), so make sure your people ask questions: “Did you send that email to me?” “Is this request legitimate?” “Do you think this is okay.”  

As soon as someone starts asking questions, the likelihood of a successful attack is reduced. Think about when you’ve opened something that's potentially dangerous or malicious. The time it takes you to let someone on your security team know will give either you or the hacker the advantage; reacting quickly saves having to wait until something in the network or in the environment changes.

Over time, new hacking technology and tactics emerge, which is a challenge, but the cultural aspect of any organisation is vital – and investing in that should be a key part of deal due diligence.  

2. Consider the value impact of these breaches

We’ve seen value being destroyed following cyberattacks. Tech organisations focused on developing software for banking clients often aren’t embedding essential security elements in their products. The potential for deal value to then be destroyed as a result of a cyber incident is significant - and this is a big issue for a number of different organisations. Ensure your deal environment is secure from the off.

3. Deal participants are obligated to ensure resiliency

There’s a duty of care to provide resiliency for yourselves, and also for your portfolio companies – and to be able to articulate, describe and provide insights to investors. That works across the chain, whether it's GPs to LPs, or LPs to port codes, and then back up. There should be an expectation that anybody and everybody involved in this complex business architecture should be secure in themselves and can then trust and verify that other organisations they engage with are equally secure.

4. Cyber intelligence equals strategic advantage

Participants in PE and M&A will often view cybersecurity and threat intelligence as a secondary consideration. But it’s vital to understand what's going on, and how an organisation in the dark economy operates and can extract value from your deal.

This requires real investment and dedicated individuals who can then articulate the risk to practitioners. Remember that insurance isn't a strategy. Jaguar Land Rover (the victims of a huge recent hack) are still looking at a significant gulf between what was covered and what their actual losses are going to be. Insurance is a key part of any risk strategy, but it shouldn't be everything.

It’s important to do extended periods of monitoring, but then to also make sure that this due diligence is actionable. Ensure that cybersecurity is embedded in the deal process and seen as a value protection – as this will be a strategic advantage for PE firms that do it correctly. Investing early will ensure deal safety, good governance and regulatory compliance.  

5. Understand your organisation and the threats it faces

Understand your organisation and the wider context in which it operates. Know its history as well; make sure you recognise how your company got to where it is. Know whether it was through a significant investment from a very high-profile individual or a particular organisation, or whether it was part of a carve out or a collection of firms merged over the course of a number of years. All of these things will have significant cybersecurity implications.  

Look for individuals who have done this before, people who will dive into the detail and be able to extract the right information and provide it to your organisation.

The Private Equity Cyber Security Checklist

For private equity partners and portfolio managers focused on value creation, understanding and mitigating cyber security risk is critical.  

Explore our Cyber Security Checklist for Private Equity for 10 essential steps to improve cyber security, protect portfolio investments, and maximise exit value.