Why Private Equity Firms Need to Include Cybersecurity in Their Due Diligence Process

The threat of a cybersecurity breach is often overlooked in the chaos of an acquisition, despite the potential risk such breaches can have on the valuation of an organization. Private equity firms purchasing portfolio companies should conduct thorough cybersecurity due diligence with every possible acquisition. Why?

Poor cybersecurity practices in acquisition targets can cost a buyer in a number of ways. The potential of an existing or past breach that has not been previously disclosed at the time of close can put a buyer at risk for legal ramifications with breach disclosure laws. However, sellers are not immune. There may be hard and soft costs associated with loss of brand reputation from a breach in addition to posing warranty issues for the seller depending on the structure of the deal.

A buyer may also face unexpected costs associated with getting the newly acquired business up to speed with security best practices and relevant compliance standards. Depending on the IT maturity of the company being purchased, the costs to undergo third-party compliance audits are often so significant that it influences the purchase price of the company.

Performing cybersecurity due diligence to address these scenarios can include leveraging the following four services:

Penetration Testing

The due diligence stage of an acquisition offers the ideal opportunity to perform a penetration test on the company being acquired. This test simulates an attack on the company’s network infrastructure and/or applications to determine what attackers can access and where security gaps exist. While penetration testing is essential for every organization, it is even more vital to private equity firms that are in the business of acquiring organizations regularly (and who need to know if the companies they are purchasing have security postures that meet industry best practices).

During these controlled tests, an experienced consultant reviews the security of the organization’s network, using the same tools and techniques that an attacker would use. Testing can even be performed covertly without the awareness of the people who manage and operate the company’s systems. The outcome of the testing tells the private equity firm how much of an investment they will need to make in the security posture of the new business, so that the new business is operating at an acceptable risk level for their portfolio.

Forensic Review

Beyond penetration testing, private equity firms can also perform a forensic acquisition and review of the systems they are purchasing. Such a review can be done at two different points in the purchase. The first point would be during the traditional due diligence period, where cybersecurity consultants look for indicators of compromise present on the systems. Performing a forensic review at this point can be a critical step, since an undisclosed breach can have a significant impact on the valuation if identified. The second time to conduct a forensics acquisition is on the day of closing. This forensic review allows firms to take a snapshot of the acquired organization as they stand before the private equity firm implements any changes. Your cybersecurity consultants will then file the system images so they can be referenced in the future should a breach or other incident occur after acquisition. The review provides the firm with accurate information into the acquired company on the day of close. This is vital should a future breach call into question if the issue existed at the time of closing, and if the seller breached any warranties made during the purchase.

IT Due Diligence

Along with the cybersecurity-specific services already discussed, private equity firms can also avoid turmoil by performing IT due diligence in tandem with these cybersecurity services. The IT due diligence process should identify additional technology areas that may require updates (e.g., workstations, systems, licenses), which could add cost for the purchasing firm or even open up liability concerns if the organization is operating software for which it is not properly licensed. When acquiring an organization, it’s important from a cost analysis standpoint to review the organization’s existing IT systems, as private equity firms may need to invest capital in new computers or pay for licensing renewals for the acquired organization.

An Example to Put it into Perspective

To provide an example, a private equity firm acquiring a portfolio company with homegrown ERP operations chooses not to perform a cybersecurity risk analysis. The acquisition goes through, and the firm acquires the portfolio company. Months later, the private equity firm discovers that the organization they acquired had been breached, and their sensitive ERP system data was unencrypted and obtained by an attacker. However, since the sale had been finalized at the time the breach was discovered, the private equity firm is more than likely responsible for dealing with the issues and costs it presents. These costs can be related to breach disclosure notifications, public fallout with the brand image of the organization, the costs to remediate the breach, and potential penalties or fines from third-parties. The significant time and resources required to address such a situation ultimately adds unanticipated costs to the private equity firm’s acquisition.

Feel Secure About Acquisitions

The role a cybersecurity expert plays in a private equity firm’s acquisition process, in conjunction with more traditional IT due diligence services, can be central to the success and bottom-line of the firm. To make sure you’re acquiring a portfolio company that fits your firm’s risk appetite and meets your overall security and IT standards, perform the proper due diligence. For help or for more information on utilizing cybersecurity and IT due diligence as part of your buying process, please reach out to one of our experts at Sikich.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author