This cruel adage has long been true in the case of cybersecurity. Years ago, hacking was an intellectual pursuit. The best hackers would publicise their exploits and how they cracked the most advanced security.
Today, for-profit hackers are engaged in a business, and these businesses are about cash, not intellectual trophies.
Rather than seeking to crack the toughest security, hackers are looking for the easiest way into companies. They are looking for the slow hiker, and mid-cap companies represent that opportunity.
Even with the best intentions, mid-cap companies cannot spend the type of capital on cybersecurity that larger companies can spend. They mostly do not need to as many have lower risk profiles than larger companies, which are often meatier targets to hackers.
However, when those mid-cap companies become the acquisition targets for larger companies or private equity companies, their risk profile suddenly changes.
They are now cash-rich due to recent funding from the PE fund and their name is in the press, making them known to hackers and subject to broader fears about their reputation.
Rather than seeking to crack the toughest security, hackers are looking for the easiest way into companies.A third, less appreciated risk factor is also at play as an acquisition is announced. Hackers have long been known to attack companies that are targets of acquisition. They breach the target company when a potential acquisition is announced and dwell there for months.
They will use the acquisition target as a Trojan horse, leading them into a broader network of the larger company if and when a system integration occurs. Such patience and strategy were once thought of as reserved for nation states.
But today, we know that sophisticated organised crime hackers also play the long game, and their profits are an indication that their strategy is paying off.
Barriers to cyber protection
So why are mid-market acquisition targets not doing more to protect themselves? The short answer is that investing in cybersecurity requires time and money.
For companies still in early growth phases, time and money are in short supply. Even for those companies that are willing to invest time and money, hiring a qualified executive to oversee cybersecurity, for example a chief information security officer (CISO), is easier said than done. In the cyber sector there is a war on talent for these types of executives, and even those companies that find one are lucky to retain them for more than a year or two.
Perhaps an easier alternative is for the PE company to have their own CISO help in the due diligence work pre-acquisition and to drive the portfolio company’s security post-acquisition. This too is tricky.
PE companies often want to oversee their portfolio companies but not manage their day-to-day operations. Portfolio companies are typically wary of too many attempts by their investors to meddle in their operations.
Yet cybersecurity represents the kind of infrastructure support that should be welcome by a portfolio company and recognised as a win-win.
An alternative, which some of the leading PE companies are adopting, is to create a programme for their portfolio companies to implement. The PE company sets expectations for the portfolio companies to manage their cybersecurity risks with the aid of external consultants and counsel.
The portfolio companies, in turn, engage the third parties to conduct a risk assessment, review controls, policies and procedures, and run what is known as a 'tabletop exercise'.
In the tabletop exercise, the portfolio company executives engage in a simulated exercise to understand their cybersecurity risks and practise their response. The result of these risk assessments and exercises is often a roadmap to cyber maturity. While the process starts with rather simple cyber hygiene improvements, it can take years to achieve true maturity.
Regulation
Understanding the importance of cybersecurity and the severity of the current threats is imperative, with global regulators starting to put increasing pressure on financial advisers’ cybersecurity practices.
On February 9 2022, the US Securities and Exchange Commission proposed new cybersecurity rules to regulate private fund advisers and protect investors. These new rules contemplate greater cyber risk oversight and disclosure of cyber incidents.
Regardless of applicability outside the US, these rules represent a growing trend of cyber regulations anticipated around the world in the next few years. If funds will not mature cyber operations without an extra nudge, regulators will add the nudge.
Maturity for acquired companies still leaves open the question of cyber due diligence pre-acquisition. Regulators have fined companies millions of dollars for cybersecurity failures of acquired companies.
Even for those companies that are willing to invest time and money, hiring a qualified executive to oversee cybersecurity is easier said than donePE companies have also suffered millions in losses from acquiring companies that had breaches shortly after the acquisition, well before any new cyber maturity plan could be implemented. Some attacks cannot be anticipated, but cyber due diligence is itself an area requiring maturity.
In the haste to close a deal, cyber due diligence often consists of a review of policies and procedures, with very little true peeking into the target’s controls.
Most acquisition targets would resist a potential acquirer’s request to conduct a penetration test or deploy software into the target’s network to scan for issues.
That is understandable, but other options exist, such as a review of external metrics, incident reports made public, and cyber-threat intelligence.
Additionally, spending time in interviews can often shed more light on the real cyber maturity of a target and allow acquirers the opportunity to ask pointed due diligence questions following a document review.
By focusing on pre-acquisition due diligence and driving home post-acquisition maturity, PE companies and their advisers can decrease the cyber risks and help mature the controls at companies still focused on their own hyper-growth.
Erez Liebermann is partner and co-chair of US data solutions, cybersecurity and privacy practice, New York for Linklaters
