A strong cybersecurity and risk posture is increasingly important in today’s business world, which is why it is imperative that private equity investors build cybersecurity and privacy modules into their due diligence. Without proper due diligence, a private equity investor could be inheriting an organization’s poor security posture and – even worse – undisclosed data breaches or security incidents that could result in heavy fines, brand damage and devaluation.
Why is Cybersecurity and Privacy Due Diligence Important?
As cybersecurity and privacy continue to evolve and grow in importance, organizations are frequently discovering that they are unprepared and unaware of the underlying risks. When a private equity investor makes a new acquisition they may be inheriting that risk.
As evidenced by the Marriott-Starwood acquisition in 2019, a lack of cybersecurity and privacy due diligence affects the buyer in an acquisition. While not a private equity case, Marriott didn’t know that Starwood suffered a major data breach when they made the purchase. Upon closing the deal, the data breach became Marriott’s problem and thrust them into the media spotlight affecting their reputation – and had them facing a $124 million fine. This could have been avoided if Marriott did its proper due diligence before finalizing the transaction. Another high-profile example is Verizon acquiring Yahoo – shortly afterward, Yahoo disclosed two significant data breaches that resulted in unwanted media attention and hefty fines. A 2018 report by PwC revealed that after Yahoo’s disclosure of the breaches, Verizon cut its offer by 7% (or $350 million) of the original price.
In the private equity world, there is a growing realization that potential investment targets need a strong cybersecurity and privacy posture, paired with compliance with any required regulatory obligations. Failure for the target to implement these security measures could have a significant impact on the success of the investment. These are important to all companies regardless of industry or size.
This is becoming an issue across all organizations and industries, but one area where there has been a growing concern is organizations that handle specialized data which is part of a business model of the target company, such as a cloud provider (CSP) or a software-as-a-service (SaaS) organization. Organizations that have an online business model and operations component must always be online and working; when a connection fails the client company can be exposed to major downtime leading to loss of revenue and customers.
What Does Security Due Diligence Process Look Like?
For a security due diligence assessment, it is important for a private equity firm to review a target for any documentation related to previous or ongoing data breach investigations in order to determine how many instances a target had, how they responded to the incident and if they addressed any flaws in the infrastructure that arose from the incident. Part of the due diligence should also focus on determining the target company’s capabilities around detecting and responding to a breach, even if one hasn’t been declared historically. It is also important to review policies and procedures the target has in place and if they have an incident response and breach notification guide. These guides are vital if a security incident is discovered and outlines how an organization should respond.
Another critical component of security due diligence is reviewing the organization’s adherence to industry compliance standards and security frameworks, such as the Payment Card Industry Data Security Standard (PCI DSS). This step not only reviews adherence and diligence to current cybersecurity and privacy frameworks but also identifies potential required compliance requirements and the target’s adherence to them.
What does Privacy Due Diligence Look Like?
With the advent of Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA), as well as other countries and states looking to implement their own legislation, it’s more important than ever for an organization to ensure customer and employee privacy. During the privacy due diligence phase, an organization is reviewed to identify how it collects consumer/personal data, how it processes it, where it maintains it and how safe that data is under current processes and procedures. This stage also reviews how a consumer/data subject is informed of the data processing practices, rights and obligations, along with how one could request a copy of their data and how quickly an organization could process that request.
People Are the Weakest Link
As part of the due diligence process, it’s important for private equity firms to review a potential investment’s personnel and the key role they play in the organization’s security. This includes key members, experience, reporting structure and chain of command and autonomy within the organization. If these key security personnel only report to IT, this can cause potential problems – a better security posture is for them to have visibility with the board and the ability to report problems to the C-Suite directly. The review should also focus on the measures taken by the target organization to educate and train their personnel on spotting and preventing a cyberattack.
Another key element to this stage of due diligence is determining how the board stays abreast of cybersecurity and privacy updates. This can be done by reviewing the minutes from meetings, looking at presentations for the board regarding cybersecurity and privacy and asking about the industry knowledge and expertise of the directors.
A-LIGN’s Due Diligence Approach
As a leading compliance and cybersecurity firm, A-LIGN uses industry-recognized frameworks which focus on system and organizational compliance controls and overall risk exposure – like the NIST 800-30 standard – as the foundation of its due diligence methodology. This approach ensures:
- Adherence to proven and repeatable processes that improve outcomes and speeds up deployment
- A common and structured format that eases communications between A-LIGN, the buyer and the seller
- A method for standard reporting, making it easy to follow remediation recommendations and providing a format for repeatability on multiple buy/sell transactions
- Preparation for future regulatory and customer compliance initiatives
- Identification of key threats, vulnerabilities and residual risk
Performing Due Diligence to Protect Yourself
Acquiring targets as a private equity firm can be a stressful time with a lot of moving parts and complex pieces in play; performing proper cybersecurity and privacy due diligence helps to mitigate risk which often goes uncovered and ensure you’re inheriting the best your target has to offer – without any hidden risk exposure.
Note: This blog was partly created with insight provided from the Carlton Fields’ CF on Cyber podcast, featuring attorneys Jack Clabby and Joe Swanson.
Ready to perform cybersecurity or privacy due diligence on a target? Contact the professionals at A-LIGN at [email protected] or 888-702-5446 to find out how we can help.