In a recent Real Deals webinar, Edward McNicholas, co-leader of the Ropes & Gray Data, Privacy & Cybersecurity practice, joined industry experts in a lively discussion on the rising importance of cybersecurity across all businesses and how businesses can help mitigate the impact of a cyberattack.
The key issues discussed by the panel are summarised below:
Mixed awareness of cybersecurity's rising risk
Cybersecurity risk has come increasingly into focus, particularly as the increased use of digital platforms and digital services becomes more prevalent. As such, cybersecurity should not be viewed as a technical risk, but as a business or investor risk.
However, not all businesses are aware or conscious of cybersecurity considerations. Edward McNicholas explains that: “Companies are either zero or 100 on cyber risk - it is either nothing to worry about, or they’re terrified and paralysed that they could be hit by ransomware. Neither is the correct approach. It is one risk among many risks of running a business.”
This will be a persistent risk consideration for businesses, as the frequency of enforcement by European regulators has been on the rise since the introduction of the General Data Protection Regulation (GDPR).
Following up on due diligence
The panel agreed that cybersecurity was also a mixed consideration in the due diligence process, with some general partners not placing sufficient emphasis on cyber due diligence during pre-deal assessments. This is a result of the commercial reality stemming from increasing competition over widely sought after assets limiting the time available to conduct pre-deal due diligence. As a result, cyber due diligence for competitive auctions usually takes place post-deal.
However, this should be followed up on, as unaddressed red flags in portfolio companies may lead to hefty penalties on the holding company. Last year, UK data protection authority the ICO fined Marriott £18.4 million for a cyber-attack stemming from a vulnerability in the data processing systems of Starwood, a company Marriott acquired in 2016.
The requirement to comply with data protection laws such as the GDPR is an on-going obligation, and the ICO has stated that the need for a company to conduct cyber due diligence “is not time-limited or a ‘one-off’ requirement”. For more information on the ICO data breach, see our client alert here.
Vulnerabilities to PE firms themselves
As PE firms can potentially hold large amounts of personal data from their portfolio companies, they are not immune from cyber risk. Indeed, the GDPR permits national authorities to fine “undertakings” as a whole, which means that parent companies may be fined for infringements of their subsidiaries.
Such fines are also not geographically limited as the GDPR contemplates fines of up to 4% of the total worldwide annual turnover of the preceding financial year of such companies. As such, multinational PE firms have significant cybersecurity risk considerations to plan for and manage.
Edward McNicholas highlights the importance of having a dedicated team or department to handle cybersecurity: “If you don’t designate leadership in this area, there will be an effort by the leadership of the firm overall to just run the event straight off. They can bring all kinds of varying levels of information to an attack, which can be quite a challenge.” He further mentions that emails and wiring instructions are vulnerabilities in private equity firms that have been frequently exploited.
Practice makes perfect
The panel also agreed that practice should also accompany planning. PE firms should test their resilience against realistic mock scenarios they or their portfolio companies might be subject to, such as a supply chain compromise or extortion-based attack. James Owen, Control Risks’ global head of cybersecurity, explained that such testing is crucial in order for people in organisations to know their roles and responsibilities if faced with a real incident. He further added that well-prepared companies also tend to benefit from a reduced impact on their critical assets and a faster recovery time.
“I think the real vulnerability in private equity that we’ve seen exploited again and again, is that people email around and send wiring instructions for large wires, in connection with deals.”