Cybersecurity diligence in private equity transactions: A Q&A with experts

Cybersecurity. It's something that you need to be aware of both when you're looking to acquire and once you've acquired in the continued day-to-day operations of the company. You don't want to risk your data being exposed, being embarrassed, or suffering financial loss. Alex Agran, host of the Private Equity Technology Podcast, recently interviewed two West Monroe experts on the importance, frequency, and relevance of cybersecurity diligence in private equity deals. West Monroe’s mergers and acquisitions practice completes over 400 deals annually—about half include some level of cybersecurity diligence—and experts Paul Cotter and Brad Haller offered their insights from the trenches of private equity dealmaking. This is an excerpt of their conversation. Listen to the entire episode, West Monroe Partners on Cybersecurity, on SoundCloud.

What are you looking for during cybersecurity diligence?

PAUL COTTER:  Our goal during cybersecurity diligence is to not just understand a target’s external security surface and how the company is handling that today, but more importantly how they are positioned to manage that moving forward and the potential risks over the long term. Because that is what will impact the valuation and the return on investment for a private equity firm. What we're really looking for is to understand how company thinks about security from the ground up. How do they envision security as a strategy for the company and for protecting their intellectual property? A number of things influence a company's cybersecurity posture, including the industry they operate in, regulatory frameworks they're subject to, and the type of data they manage. All of that influences our diligence report.

About half of dealmakers are currently unhappy with their cyber diligence. Why is that?

BRAD HALLER: One reason is not getting the right partner to do it. Another reason is missing something during diligence. (Sometimes they’re one and the same.) A private equity firm pays someone to assess the cybersecurity posture of a business, and when six months post-close there is a breach or some other issue – perhaps the target doesn’t pass an audit – they’re not happy. The market is very competitive right now, and when it's competitive the bankers limit access, whether that's to people who are aware of the deal or compressing timelines. And we’re rarely provided perfect information. Sometimes we only get two hours on the phone and need to accomplish the same scope and at the same level of detail required for an on-site, all-day visit. This obviously opens itself up for missing things, whether that's IT or cybersecurity or quality of earnings.

Who do you want doing your cybersecurity diligence?

PAUL COTTER: You're looking for people with broad exposure across a wide set of industries, as well as a fairly deep set of capabilities. Because you want to apply that perspective across all of the deals that you see on an annual basis and see where each fits in the spectrum of “things we should expect” vs. results that are out of the ordinary. That part is pretty important and allows private equity firms to put results into perspective. You also want someone with an understanding of how the target business operates, and why they might be in the situation that they're currently in with regards to security (or a lack thereof). Both the business and technology sides must be present.

What else are you doing besides evaluating their strategy and controls?

PAUL COTTER: We also do something called a threat hunt. Once you've made the decision to acquire a company, perhaps pre-close, we might recommend if it's a particular high-risk industry or a particular high-risk set of data that they conduct a threat hunt. This gives you some assurance as to whether there has been a breach in the recent past that might affect the data that you're actually acquiring and therefore the investment. BRAD HALLER: For a pretty small fee, small being $20,000 to 30,000, we can put a dissolvable agent in a company’s network and prove right or wrong if they have been breached recently. So there is a way to make sure, even with the tight time frames allotted under diligence, that assurance can be relatively low maintenance for the target company. And, you can usually get the seller to pay for this.

How frequent is cybersecurity part of the overall IT diligence West Monroe is doing?

BRAD HALLER: At this point, it’s about 50% of the time. In certain industries – health care, retail, software companies – it’s nearly 100% of the time. We do a lot of work with lower mid-market consumer industrial products companies that might not have any protected data. They're not taking cardholder data and stuff like that, and the biggest risk might be they have proprietary drawings, so it runs the gamut. But when we started doing cybersecurity reviews about four years ago in earnest, it was only 5% percent of the time. It's a pretty big shift in a short amount of time

What does a deal-stopper look like?

BRAD HALLER: In our experience, only about 1% of the time does a cybersecurity issue stop a deal. It’s industry-dependent, for example a small healthcare provider who has severe HIPAA issues and doesn’t understand it’s supposed to be doing more than collecting consent forms. Most of the time, though, you have something that can be remediated pretty quickly post-close. It's just expensive, and that's the other part that becomes difficult. None of this stuff is cheap and hiring the right people for this is difficult because there's so much demand for them. It's not value accretive. Listen to the entire episode, West Monroe Partners on Cybersecurity, on SoundCloud.

Get West Monroe’s annual research on cybersecurity diligence

Check out more episodes of Alex Agran's "Private Equity Technology Podcast"!