Private equity companies are taking a closer look at how their portfolio companies manage their cybersecurity, often before a deal is signed.
A combination of market forces and investor pressure is forcing even the youngest companies to beef up their cybersecurity, as would-be acquirers step up their scrutiny of digital weaknesses.
“Cyber’s ability to impact the operating performance of a company or the financial risk it can create is significant,” said Jeffrey Calhoun, a managing partner at New York-based Tailwind Capital, a private equity firm that invests in midmarket infrastructure, supply chain and technology companies. “It’s our responsibility as control shareholders to head those things off in every possible way.”
While a mature cybersecurity program was once the preserve of large, well-resourced companies, startups and midmarket firms are now finding that a host of third parties, from clients to regulators and investors, are now requiring them to implement at least baseline defenses.
Insurers, for instance, often require applicants to demonstrate that they have cybersecurity measures in place before they grant coverage, while regulators are applying pressure at “the highest level we’ve seen in 20 years,” said Dave DeWalt, a managing director at venture capital firm NightDragon.
“The insurance industry and regulators are almost driving the same controls into a company to make them perform better,” he said. “This is all good stuff. It should have happened 10 years ago.”
Private equity companies are also stepping up how they assess companies they may wish to buy. In addition to fundamentals such as financial health and management structure, they’re often looking at cybersecurity.
“Cybersecurity has evolved significantly as a risk factor, and it’s an area that requires due diligence before we even make an investment,” said Calhoun.
Tailwind requires portfolio companies to have multifactor authentication, network security, cyber insurance, and an incident-response team or access to one at a cybersecurity company. It also requires companies to have a chief information security officer either full-time or through Tailwind’s relationships with cybersecurity companies.
Tailwind contracts with consulting firms for a certain number of hours a year of work with virtual CISOs, who are often retired corporate security chiefs. Each portfolio company gets at least 10 hours each month of access to such a CISO from companies including Secureworks and Presidio.
Virtual CISOs help with creating security policies, testing controls, advising chief executives and technology officers, and reporting to the board, said Eash Sundaram, an operating executive at Tailwind.
The idea is “to bring the security of companies to our minimum standards,” said Sundaram, a former chief digital and technology officer at airline JetBlue. “It happens in a systematic way.”
Every portfolio company gets this treatment, Calhoun said, adding that companies require cyber upgrades almost every time.
Many private equity firms are taking a similarly serious approach to cyber, said Chris Stafford, a partner in the mergers and acquisitions group at advisory firm West Monroe Partners, in part due to the increased visibility of — and responsibility for — cyber risk management at senior executive levels.
Due diligence processes now aren’t just focused on whether a company has the right policies or governance in place, but can now include network scanning and penetration testing, where security specialists attempt to break into systems, he said. Even post-acquisition, Stafford said, his company has a cybersecurity advisory group that meets quarterly or twice a year with around 30 funds to examine portfolio companies’ cyber postures.
“The willingness to take chances is way down than it was in the past,” he said. “It’s no longer a minor thing that maybe the operating team should deal with, but it’s front and center for the lead partners at a lot of these funds.”
Write to James Rundle at firstname.lastname@example.org and Kim S. Nash at email@example.com
This article was published by The Wall Street Journal, a fellow Dow Jones Group brand