In today’s world, cyber attacks and data loss are huge risks for any company, and no less so for Private Equity companies and their portfolios. In recent years, PE businesses have increasingly focused on ESG management (Environmental, Social, and corporate Governance initiatives) as they become a critical focus for stakeholders and business enablers or disruptors. Similarly, Cybersecurity breaches now commonly affect not only the business value and ability to operate but all stakeholders, including customers, the community, and even the environment. Indeed, the cost of a data breach is, on average, highest in organizations that provide critical infrastructure that could cause environmental or societal damage, with an average cost per breach of $4.82m. This global average figure, while significant in itself, hides some existential threats that a data breach may bring; for example, in July 2022, T-Mobile agreed to settle class action lawsuits connected to a 2021 data breach at a cost of $350m.
Meanwhile, the largest fuel pipeline in the US was taken down by a ransomware attack in 2021 due to a compromised password. Alongside the payment of a multi-million dollar ransom, the pipeline was closed for a week, causing regionally higher fuel prices from supply issues. These events are no longer uncommon but rather form the rule. Indeed, IBM & the Ponemon Institute's “Cost of a Data Breach Report 2022” found that no less than 83% of organizations have already experienced more than one data breach.
Therefore, PE houses should seek to quantify the cybersecurity readiness and historical integrity of any target company before acquisition. Furthermore, it is recommended that all such organizations routinely treat the cybersecurity efforts, standards, and initiatives of their current and future portfolio companies as a core element of ESG management, and pre-acquisition/investment Technology Due Diligence should explore historical breaches and current readiness as a matter of course. At RingStone, we see cybersecurity as integral to all our work across Technology and ESG, delivered through cross-functional Cyber-Technology Due Diligence.
Private Equity Cybersecurity Checklist
1. Undertake Cyber-Technology Due Diligence Prior To Acquisition
Cybersecurity due diligence should now be routinely undertaken as part of the acquisition process to identify and quantify potential material risks of a data breach, allowing the acquirer to plan for how issues will be addressed (and paid for) after closing and during integration. As with all Technology Due Diligence, the resulting output should provide value levers woven into a roadmap of critical remediation and low-hanging fruit, with clear costs and a timeline for handling these. This roadmap provides the acquiring company with clarity over forward required investment spending, potentially derived partly by pushing a portion of target proceeds into remediation.
2. Don’t Rely On Insurance
It is possible to insure against Cyber Liability, and as a backstop for worst-case events, it is a valuable consideration. However, failure to tackle the root cause issues that lead to data breaches will not only raise the likelihood of them happening but may also lead to an invalidation of the insurance and larger fines from compliance and regulatory bodies. Getting the house in order as early as possible in the integration period provides the best risk management strategy, as well as uncovering potential value-creation opportunities.
3. Integrate Cyber To ESG
Given its increasing importance and the scale of inherent risk, cybersecurity may be seen as a standalone top-level reporting requirement. However, such material threats to business value and stakeholders presented by cyber risk are also the core of Environmental, Social, and corporate Governance (ESG) initiatives. Most PE companies now undertake significant efforts to provide stakeholder reports and internal ESG dashboards. By seeing high-level cyber risk as another aspect of mature and responsible ESG management, overall governance is improved, and reporting is both enhanced and, for external stakeholders, simplified. Integrate benchmarks of cyber readiness into ESG dashboards for your portfolio, and apply these standards when assessing new investments.
4. Conduct Annual Assessments
Security is only as strong as the weakest link in the chain, and the risk landscape for agile businesses in our fast-moving world changes rapidly. It is important, therefore, to undertake an annual security assessment of portfolio companies. Integrating this into a live ESG dashboard and undertaking this work alongside or as part of regular ESG re-assessments can improve the efficiency of this process and minimize disruption to portfolio companies.
Cyber-Technology Due Diligence Key Factors
A comprehensive examination of Cyber Readiness derives first from understanding the technology landscape within the business. Weaknesses, risks, and threats can as easily stem from poor password usage (i.e., people risks) as from misconfigured cloud-based APIs (i.e., technology risks), and all avenues must be explored. However, our experience has clearly shown us that the three factors that lead most frequently to high breach costs are:
1. Significant Use Of The Cloud
Cloud computing and SaaS model deployments have been instrumental in the explosion of high-value apps on the Internet. However, the ease of deployment and highly scalable nature of the underlying infrastructure make the cloud a common source of vulnerability. Use of the cloud increases the Attack Surface of an application, for example, by exploiting insufficiently secured ingress points. Malware, Zero-Day, Account Takeover, and many other malicious threats have become a day-to-day reality of cloud security operations.
2. Inadequate Compliance
Most companies state their compliance to an over-arching security standard (e.g. ISO 27001, NIST), either by actually achieving certification or by developing self-regulated internal policies based on the selected framework. However, even many certified companies fail to practically comply with the requirements of these standards - and where these standards govern user data management (e.g. GDPR). The cost of a data breach can be astronomical, as it was in the case of T-Mobile discussed earlier in this article, and paying only lip service to the enforcement of policy may be worse than doing nothing at all, as senior management is incorrectly led to believe that risk is managed. The simple guidance here is to “practice what you preach,” which should be verified through practical evidence of applied controls and enforcement when undertaking Cyber-Tech Due Diligence.
Many privacy regulations, including GDPR, require (the use of Personally Identifiable Information (PII) to be tracked and actively maintained. Statements in a public privacy policy (such as those commonly found on company websites) stating the rights of an individual must be backed up by the ability to respond practically and effectively to data listing and removal requests. To do so, it must know what data it has, where it is stored, and how to correct or retrieve it.
A Chief Security Officer’s (CISO) ability to explain data mapping in their business is, therefore, extremely telling when validating their ability to deliver on stated security policies. The key to understanding is:
What data the business holds
Whether the data is sensitive
Where the data is located
Whether the data is classified (e.g. public, confidential, highly confidential)
Whether the data is subject to a legal, regulatory, or litigation hold
Whether the data is encrypted at rest and in transit
How (and whether) the data can be deleted, corrected, or provided to a consumer on request
3. Over-Complex Security Systems
As our technology stack has grown, so security threats have become commensurately more sophisticated, resulting in network security becoming ever more complex and difficult to manage. Bruce Schneier, a leading light in cryptography and security, stated at the end of the last century that “complexity is the worst enemy of security” since when we have had nearly 25 years of technology proliferation.
Defense of critical assets from cyber threats has led most businesses to layer security controls and policies to the point where the risk of vulnerability from human error has become significant. Multiple systems require multiple skill sets, frequently breaking the chain of responsibility and ownership across teams. Disparate vendors result in a lack of integrated security dashboards, and complex network interactions result in shortcuts that leave unintended “holes” in the security fabric.
Where security complexity is actively reduced (fewer vendors, integrated policies, single log aggregators and dashboards, etc.), we find the cybersecurity posture to be stronger.
RingStone Cyber-Tech Due Diligence
RingStone’s proprietary and comprehensive Technology Due Diligence methodology covers Organization, Product Strategy, Architecture & Code Quality, SDLC, and Infrastructure, as well as specialist areas such as the use of AI/ML and deep-dive into cybersecurity itself. However, each of these disciplines carries cybersecurity requirements and risks, and therefore security is always examined as a horizontal theme across all of our work. More specifically, when examining any organization, we seek to:
Understand policies and internal governance processes.
Understand the software and the IT ecosystem.
Understand all inputs/outputs, including 3rd party integrations.
Understand the security practices and in-place controls.
Understand the organization and its processes.
From this, we develop a rating of the cybersecurity maturity state, identify gaps and critical risks, and highlight improvement and value creation opportunities. Beyond this, we deliver a clear, costed action plan for improvement and remediation, integrated into a comprehensive report on the value and viability of the overall technology team and products.
About the Author
Graeme Cox has worked in and created cybersecurity and deep-tech AI companies over almost 25 years, acting as both CTO and CEO. As a lead practitioner at RingStone, he works with private equity firms globally in an advisory capacity. Before RingStone, Graeme built and managed an AI biometric wearables company and today serves on the board of two AI businesses. Earlier in his career, Graeme founded and built one of the UK’s leading cybersecurity companies, leveraging big data from critical systems to drive early warning of hack attacks, ultimately selling the business to one of today’s global leaders in the field. He has consulted for global firms and is a sought-after NED, mentor and public speaker in cyber and deep tech, notably in AI, XR, and Medtech. Graeme holds a degree in Artificial Intelligence and Computer Science from the University of Edinburgh.