Before the Deal: Private Equity Firms Now Requiring Cybersecurity Controls at Portfolio Companies

Private equity (PE) firms have no choice but to adapt as digital transformation continues to accelerate across all industries, and with it, elevated cybersecurity risk across their portfolio that has become a key due diligence focus area before investments are made.

Baseline requirements for PE investment are strict for a reason, and undervalued companies work tirelessly to demonstrate their growth potential and vision in order to find the right funding partner to help grow their business. Now, in addition to requirements like financial health and management structure, savvy PE firms are prioritizing minimum standards for cybersecurity in order to protect their potential investments.

The increased attention on cybersecurity inspection, often before a deal is even signed, is the new normal. Cybersecurity crime and breach statistics are off the charts and demonstrate just how significantly cybersecurity has evolved as a risk factor for business operations and long-term business viability.

According to a report by Cybersecurity Ventures, the global cost of cybercrime is expected to reach $10.5 trillion annually by 2025, up from $3 trillion in 2015. And a 2020 study by IBM found that the average cost of a data breach is $3.86 million, up 10% from the previous year. In response to these staggering numbers, insurers, for instance, often require applicants to demonstrate that they have cybersecurity measures in place before they grant coverage, while regulators are applying pressure at historically high levels.

Prospective PE Portfolio Companies Face Unique Risk Vulnerabilities

Once a company has agreed to be acquired by a private equity firm, it may become a more attractive target for cyber attacks. There are several reasons why:

• Any funding announcement draws attention and the threat actor’s perceived value of the company in receipt of investment increases due to its association with the private equity firm. This has the potential to draw the attention of cybercriminals who may see the private equity firm’s involvement as a sign that the company has valuable assets or data that can be exploited for financial gain.
• The acquisition process itself can make the company more vulnerable to cyber attacks, as due diligence requires a massive amount of data sharing including sensitive financial, legal, and operational information with the private equity firm and its advisors.
• During the integration process, the portfolio company is often exposed to new systems, networks, and technologies that can introduce additional cybersecurity risks. Integrating IT systems and data across different organizations can open up security gaps that are easily exploited by cybercriminals.

To minimize these risks, private equity firms should conduct thorough due diligence on the cybersecurity posture of the portfolio company before the acquisition, and implement appropriate cybersecurity measures and protocols during the integration process. This may include conducting regular vulnerability assessments and penetration testing, implementing strong access controls and data encryption, and providing cybersecurity awareness training to employees.

A mature cybersecurity program is no longer just the priority of large, well-resourced companies. From startups to mid-market, firms are now finding that a host of third parties including clients, insurance providers, regulators and investors, are now requiring them to implement sustainable cybersecurity defenses.

The PE firm/portfolio company relationship is a symbiotic one by nature: value sees value. The only way to ensure mutual success in today’s always-on and interconnected world is to secure the value both parties offer. Value creation is hard to achieve without value protection. Thrive’s NextGen managed services for private equity firms can optimize, manage and protect critical infrastructure in real time, at all times.

Ramp Up Cybersecurity with Thrive

To help portfolio companies get started on the path to cyber risk mitigation, Thrive can design and implement a strong security foundation to ensure the right actions and choices are being made to protect the organization and achieve compliance.