Cybersecurity for Private Equity Acquisitions

Cybersecurity should be one of the key concerns when a private equity (PE) firm is performing due diligence on a candidate acquisition target.

Specifically: is the target company doing enough cybersecurity ? Is the target company's cybersecurity effective? Is it cost effective?

If the answer to any of these questions is "no" or "I don't know" then your due diligence has a hole in it. Cybersecurity liabilities might drive down the target company’s value in the aftermath of a poorly managed security incident.

The obvious answer is to get some kind of cybersecurity assessment but all too often the cybersecurity assessment process often seems opaque and complex and its results hard to understand or trust.

At Pythia, we make the process simple, comprehensible, and we base the process on the business value that the PE is seeking. Pythia’s approach, though easier to understand than others, is no less diligent, and actually more rigorous. The approach focuses on the four key factors that are essential to understanding the risks in the target company.

Assessing each factor starts with a basic question:

1. What are the company’s critical assets that require cyber security protection?

2. How would the company's operations, its revenue and liabilities, be impacted if the assets were attacked?

3. Which specific cybersecurity protections are required, and performed by which staff with what oversight?

4. Who is responsible for using oversight to ensure that the staff are performing effectively, and to detect and correct shortfalls?

The ideal result of our assessment is that the target company has ready and specific answers to all these questions, with evidence to support these answers. A good result is ready and specific answers without solid evidence. A bad result is a long wait before getting vague answers without evidence.

A Pythia assessment gets the answers, whatever those answers might be, and also identifies gaps that should be filled. We understand that the goal is to support the buy / walk away decision. We also understand that sometimes the next step is an guestimate of what it would take to make the target into a solid "buy."

Our methodology is based on one key insight: change is coming, and to protect and grow its value, every organization needs to maintain and strengthen cybersecurity. Every company with any exposure to the Internet or dependence on distributed information systems faces a rapidly evolving threat environment. Particularly in a PE context, an acquired company faces a new set of internal challenges as well. Being acquired means undergoing changes; these changes often impact cybersecurity effectiveness and costs. As a result, in addition to the usual cybersecurity technological assessments, it’s essential to know at the outset which people are the most open to or resistant to changes that impact the company’s risk management. That is why Pythia includes an assessment of how open to change key personnel are.

With that focus on change and risk management, Pythia's sometimes surprising starting point is this: answering each of these questions starts with the executive team, continues to include IT leadership, and fundamentally involves the company’s people management. Diligence focused on technology alone simply won’t provide the essential answers. To see why, let’s unpack each of the 4 questions.

Answers to the what and how questions start with the executive team, because cybersecurity is about protecting the company’s business, its continuity of operations, and it is the executive team that defines what the business is, and what is critical to keeping it operating, and how to manage risk. Cybersecurity is a form of risk management – managing the technology based risks – and should align with all the other forms of risk management, for which responsibility starts at the top. As business operations and operational risks change, post-acquisition, determining requirements for corresponding changes to cybersecurity also start at the top.

Answers to the which and who questions are the bridge from the what/how to the specific cybersecurity operations that should – but often do not – have alignment with requirements to protect the critical business assets and manage risks of cybersecurity incidents. It’s not enough just to document what the IT security team is doing; it’s also necessary to discover whether that alignment actually exists, and if not, what needs to change. Alignment must be complemented with oversight. It’s not enough for the IT security team to try to explain what they do and how it’s aligned; it’s also necessary for team management and people management to do the oversight to gain the assurance that the team is actually performing their cybersecurity tasks that protect the company’s infrastructure and operations.

Don't buy blind. Treat cybersecurity with the same diligence with which you treat finance, HR and sales. You need to know your potential cybersecurity assets and liabilities. Pythia Cyber can help.