The first 90 days: Securing PE digital value creation


Focusing on cybersecurity is essential in a transaction


Establishing a secure foundation from which to build value is key in enabling private equity (PE) digital value creation. Given the rising number of security incidents and breaches, weakened cybersecurity hygiene has the real potential to materially deplete deal value and derail management from achieving its digital value creation objectives and roadmap. Too often we see acquisition targets that have only minimally invested in cybersecurity and haven’t kept up with the latest innovations and best practices. Middle market companies, in particular, often have significant gaps even if they don’t think they do. 


We’re finding that many middle market firms have experienced a cyber incident within the last two years and are unable to secure cyber insurance. Those that have secured cyber insurance in previous years are discovering that they are now unable to renew due to new requirements. Further, those that have been fortunate to renew are finding that their new policies aren’t worth the paper that they’re printed on as the coverage may not be what’s needed.


Focusing on cybersecurity should be a top priority upon closing a transaction to enable a secure foundation for executing your digital value creation roadmap. Our experience shows that material cybersecurity improvements can be made within just 90 days post close while also addressing the key requirements needed to obtain a comprehensive cyber insurance policy.




Where to focus?


We have identified five key areas of focus that address the highest risks and that also align with the National Institute of Standards and Technology’s (NIST) cybersecurity framework standards.   


  1. Endpoint detection and response.


Traditional antivirus protection isn’t enough in today’s environment. Endpoint detection and response (EDR) solutions such as those provided by CrowdStrike perform better than virus protection by continuously monitoring the environment to detect and respond to ransomware threats and the like. These solutions, coupled with a managed services provider to monitor the environment on a 24x7 basis, are easy to contract and deploy with minimal to no downtime or disruption to IT operations. Within just a few days, an EDR can provide a fast and accurate response to incidents to stop an attack before it becomes a breach.


  1. Multi-factor authentication.


A vast majority of cybersecurity incidents that we’ve observed are a result of compromised user credentials whereby a threat actor uses those credentials to gain access to an information system such as email or a billing system. Enabling multi-factor authentication (MFA) requires a combination of two or more authenticators (e.g., a traditional password plus a text to your mobile phone) to verify your identity before being granted access. Several applications have built-in options to enable MFA specific to that account; however, in our experience, establishing a centralized MFA solution is the most user friendly and easiest approach to maintain.


  1. Vulnerability management.


Buyers need to be aware of inherent risks that are visible both externally and internally. Many organizations may have “technology debt” from end-of-life systems that can make securing the environment challenging. Additionally, internal threats may come in the form of a disgruntled employee who isn’t happy about the transaction or what it may mean for their job. A proper vulnerability management program uses a variety of tools and processes to help identify outdated patches, insecure configurations, and known vulnerabilities across IT environments internally and externally. It also helps to classify risk, prioritize remediation plans and inventory risk for tracking. This program should also include annual penetration testing exercises to validate the effectiveness of the program.


  1. Privileged access management.


Privileged access management (PAM) is a new requirement that insurers are now mandating for cyber insurance. PAM safeguards identities with special administrative access beyond regular users and allows organizations to better manage access rights. In scoping PAM, a place to start is looking at administrative accounts on major applications and infrastructure, followed by service accounts. A sophisticated tool or technology is not always needed to implement PAM. Depending on the size, complexity and risks associated with the company’s IT environment, a policy document accompanied by a manual process and simple password vault may be an adequate starting point and sufficient to meet insurance requirements.


  1. Disaster recovery and business continuity planning.


Backups need to be available for recovery and routinely tested, and they should be kept in an immutable format in the event of a ransomware attack. Immutable backups are copies of files and data that cannot be altered or tampered with for a preset period. Maintaining immutable backups means you will be able to recover data after a ransomware infection and potentially avoid paying a costly ransom. Backing up your data to the cloud using a centralized immutable backup solution, such as one provided by a credible cloud services provider, is one of the best options for this and can also be an accelerator toward migrating more of your infrastructure to the cloud. Coupled with backup and recovery solutions should be an Incident Response Plan that is regularly tested with all applicable stakeholders to identify gaps and areas of improvement.


Asset management, while not mentioned above, is a critical element that supports these and all other cybersecurity capabilities. Lack of asset management results in unmanaged devices and software in the environment that further jeopardize cybersecurity.




Example case study


Grant Thornton assisted a prominent PE firm with more than $9 billion under management in evaluating the technology risks and opportunities associated with its pursuit of a middle market digital retailer. The target company had grown inorganically and had a fragmented technology environment with little to no cybersecurity governance, processes or controls.


The retailer had recently been the victim of a successful cybersecurity attack, and there was the potential that its environment was still compromised. Grant Thornton assisted the client and the acquisition target with a compromise assessment prior to the close of the transaction to ensure that any critical threats were identified and quickly remediated.


Post close, Grant Thornton executed a playbook accelerating the remediation of the retailer’s cybersecurity deficiencies and resulting in the company securing a competitive cyber insurance policy within 90 days after starting the engagement. Successfully securing the environment paved the way for the management team to focus on the company’s broader digital value creation theses and objectives. 




Sell-side considerations


Operating companies that are looking for a buyer make themselves more attractive to potential suitors by prioritizing cybersecurity and demonstrating that they have the right controls in place to show that there are no bad actors in their environments.


Without these controls, discerning investment teams may require additional cybersecurity assessments as a condition of closing, which would otherwise lead to unwanted surprises and potentially destroy or delay value realization. Within a 90-day time frame, substantial improvements can be made to avoid these and other pitfalls that may otherwise result in costly delays and distractions. Conducting sell-side diligence can assist in surfacing issues so they can be addressed ahead of the buy side process.





Prioritizing cybersecurity


Regulatory requirements and investor expectations around cybersecurity are increasing. This growing focus is sensible, given that a data breach can lead to financial losses, legal liabilities and reputational damage, all of which can hurt the company's bottom line. PE firms that fail to prioritize cybersecurity may face regulatory penalties and could also face backlash from investors. PE firms that make cybersecurity a priority from the start lay the groundwork for successfully achieving their digital value creation objectives.




Our private equity featured industry insights