Bye-bye Laybuy: Six cyber security lessons for PE from a BNPL collapse

The rise, fall, rise, and fall of Laybuy  

A prime example of the consequences of inadequate cyber security can be found in the sad story of Laybuy, which is now in administration after a series of cyber calamities. There are many lessons to be learned from the company’s collapse that apply to other privately-owned businesses, particularly in the private equity (PE) owned asset space. 

Founded in 2017, Laybuy was part of the growing ‘buy now, pay later’ (BNPL) industry, which allows consumers to spread the cost of buying items over two to three months. At one point it was considered a serious rival to Klarna. Based in New Zealand, it had a combined user base of 800,000 and operations across New Zealand, Australia, and the UK.  

The business was delisted from the Australian Stock Exchange in August 2023 after experiencing a lack of growth and losses, but a turnaround plan led to Laybuy breaking even by October of that same year.  

It was shortly after this success in October, between December 2023 and February 2024, that it became “a victim of fraud and cyber-attacks”. The events, although not widely and formally reported, were identified and referenced on popular consumer forums by Laybuy’s own users. For an organisation with existing challenges, the fallout from these extended attacks resulted in material cash losses, regulatory breaches, and cash flow issues.  

Although not the only factor in play, the administrators point to Laybuy’s cyber security failings as being a key part of its collapse.  

The full technical details of the cyber security incident, including internal controls and response to the incident, are not yet known. But what we can learn from it is this: 

Cyber security is an ongoing business concern 

Above all, Laybuy’s demise is a stark reminder that cyber security does not operate in a vacuum separate from the business it is part of. A growing body of evidence demonstrates that cyber security incidents have a direct financial impact.  

This is especially relevant to organisations that are looking for funding so they can grow and generate value for investors. Responding to, and recovering from, a cyber incident can require using funds earmarked for value-generating activities and cause cash flow issues and lower growth rates. Failure to have effective cyber security embedded in an investment is an investment risk because cyber security incidents have tangible business impacts. 

Cyber security must be clearly aligned to business objectives  

Implementing cyber security is not a one-off activity, but an ongoing process. It consists of continually aligning and realigning internal risk management frameworks to ensure decisions related to risk meet the business’s overall risk appetite.  

Industry-specific considerations cannot be ignored 

Businesses that operate in sectors and industries with high levels of competition and low barriers to entry are more susceptible to losing customers after a cyber security incident. As a result, cyber security response planning must include customer management and external communications as primary considerations. 

Regulatory requirements always matter  

The BNPL sector is not highly regulated, but the Laybuy cyber security attack was a direct result of regulatory non-compliance. Regulatory requirements should be a key factor in all cyber security decisions – although regulatory compliance should not be the only objective. Proactive and effective risk management should also be a desired outcome. 

Trust, but always verify 

In-house cyber security departments are mission-critical to their organisations, but the delivery of an effective function requires validation and review on an ongoing basis.  

An external assessment is sometimes not welcomed by internal cyber security and IT teams, but external reviews, assessments, and assurance activities are no different to external audits of finance functions. External review is a necessary component in not only delivering but demonstrating the existence of a robust critical function.  

Effective business and cyber security leadership are fundamental  

Leadership across functions and departments should have relationships that are strong enough to welcome open challenges to existing processes and suggestions for improvements. The right skills and experience in the right place are also necessary if leadership is to be effective – for example, cyber security and IT are different and require different skillsets. A strong IT manager does not necessarily make for a strong Chief Information Security Officer. 

As an industry, PE has multiple opportunities to inject value into a business and address risks linked to its investments. Due to the growing importance of cyber security and its clear link to business value, it should be a core part of:  

• pre-investment due diligence;  
• post-acquisition value creation activities;  
• ongoing portfolio risk management; and  
• divestment.