Cybersecurity: private equity in pole position
In private equity, the loss or gain of value is what determines a firm’s success, and so understanding cyber risk has never been more important.
Cyberattacks have become one of the biggest threats not only to business but to society at large. Cybercriminals, hacktivists and nation states are capable of deploying malicious code to bring down everything from corporates to critical infrastructure in an instant.
As attacks grow more pervasive and sophisticated, investors have come to recognise the urgent need to ensure that assets are well protected and that cyber risk is managed effectively. This was thrown into sharp relief when the disclosure of two data breaches reportedly led to a $350 million discount on Yahoo’s $4.8 billion asking price when the Internet firm was acquired by Verizon last year.
In private equity, the loss or gain of value is what determines a firm’s success, and so understanding cyber risk has never been more important. This industry is also uniquely positioned because cybersecurity presents both a threat and an opportunity.
The very largest private capital firms are responsible for the management of hundreds of billions of dollars across a range of asset classes and store sensitive client data and communications. If they were so unfortunate as to be the target of an attack, it could deter limited partners from making future commitments.
Arguably, of even more pressing concern is the defensibility of portfolio companies. Cyberattacks can ruin reputation of a business, cost it clients, customers and suppliers, and ultimately result in lost revenues and earnings.
A survey by Coller Capital found that private equity firms’ limited partners are already thinking about this, with 55% of investors saying they will require their general partners to undertake cybersecurity risk assessments for their management companies, and 45% requiring the same assessments at the portfolio level.
Encouragingly, we are seeing private equity firms and other acquirers increasingly prioritise cybersecurity in due diligence processes, particularly where it intersects with data privacy issues. For instance, data porting, such as the transfer of credit card details from one company to another in retail M&A situations, is being thought about more judiciously than ever before.
Private equity funds are taking a risk-based approach and understand that boilerplate approaches to cyber risk are ineffective. Certain sectors – including healthcare, infrastructure, and transport and logistics – not only face greater disruption if they are attacked in ways that extend well beyond data loss, including the potential loss of business continuity and even the loss of life, but are exposed to higher reputational and value downside if they fall victim to breaches.
We understand that due diligence must go beyond law and regulations. Since often the only legal requirement is to have reasonable security under a risk management framework, the real diligence is in understanding the ways in which an individual company is exposed to cybersecurity risk in a practical, commercial, real-world sense.
Diligent acquirers price risk into their acquisitions. Just as private equity firms must understand the cyber risk profile of investment targets when they evaluate deals, they can also use hands-on management to improve cybersecurity governance at their investee companies, making them more saleable prior to exit. As the services of cybersecurity firms have become indispensable, we also see that private equity is taking a keen interest in this niche of the technology sector, its recurring revenue models and growth potential, representing a compelling source of investment returns.
As corporations and governments focus ever more attention on the scale of the cyber threat and their vulnerability, private equity is at once assessing its own exposure while spinning this threat into an opportunity.
By Steven Chabinsky, partner, and Ian Bagshaw, partner, White & Case