Private equity firms may inherit data attacks from acquisitions

INSIGHT ARTICLE | July 13, 2021

Many businesses in a variety of industries, including private equity firms and their portfolio companies, can experience data security breaches. Violations often involve the loss of customers’ personal and credit information, and many times, go far beyond the potential loss of financial information or regulatory penalties. The bad press from a security breach could equate to the loss of thousands, if not millions, of customers. In addition, the greater hit is often in the form of reputation and goodwill erosion, and the possibility of liability suits.

As a private equity firm acquiring a new business, could you be held responsible for existing ineffective security strategies, resulting in breaches within the acquired company? Further still, post-deal close, could you encounter challenges related to compromised intellectual property of the acquiring business and resulting aftermath? In a word, yes. You could inherit many of the problems from presale attacks, and be paying for these security issues for years, in the way of fines, costly litigation or plummeting revenues.

Intellectual property concerns

A major concern for private equity firms and their portfolio companies is compromised intellectual property. What happens if you own or acquire a company, not knowing its key intellectual property has been compromised? For example, let’s say you buy a company that had the market cornered on one specific area, a unique niche in the market, and that unique niche was what made it a desirable business purchase. After the sale, you find that the very unique niche that made the company so ideal was actually compromised, due to a security breach or stolen intellectual secrets. Patents, copyright, trademarks and industrial design rights provide protection around the elements of intellectual property, yet ideas can be breached and designs stolen.

Knowing of the intellectual property breach prior to the deal closing, how would this have affected the acquisition? You may have walked away from the deal or bought the company for a lower price. A company can lose its value and competitive edge if their key intellectual property is compromised. Losses for a deal misstep like this can result in millions of dollars, and business recovery may never occur. Proper due diligence prior to the deal close is essential to uncover intellectual property impropriety or breach.

The best defense

To get started on applying protective security strategies, a simple assessment of the current state can help an organization understand their security posture, and identify gaps in their security program. Private equity firms can use this same approach in their potential acquisitions, as well. Studies show good protection can save a company up to $1 million per year, or with higher-end protection, as much as $2 million.

A business-wide and sweeping assessment can help reveal appropriate security standards, including: ISO 27001, the payment card industry (PCI), Sarbanes-Oxley Act of 2002 (SOX), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA) and more. In addition, it can uncover, to an organization or an acquiring firm, all of the ways the company may be breached. For instance, most data breaches do not happen through front-facing websites, but rather through side channels, like a branch wireless system or retail site networks. Organizations should ensure that all access to their networks and systems are managed, including third-party access.

In addition, a comprehensive assessment can identify if the acquisition target will need major funding to get itself security compliant. Frequently, when a company is trying to get acquired, they will cut all possible spending in order to make their financials more desirable to a buyer. This often includes funding cuts related to information technology (IT) security and maintenance, the very preventive needed for strong security planning. A private equity firm looking to acquire this company often doesn’t realize this financial cut until post sale. Unfortunately for the acquiring private equity, in these cases, it may take several years to upgrade the acquired company’s technology and assure proper security strategies and tactics are in place.

Questions to consider

Another best defense is pondering critical questions prior to an acquisition. Answers to these questions may make all the difference in deal negotiations.

• What is it about the target that makes it of value to you?
• Is it something that can be stolen or copied? Broken?
• How would you know if it has been compromised before you buy that target?
• How would you know if it has been compromised since you bought it?
• How are you monitoring this risk?
  • Are your targets or portfolio companies doing this on their own?
  • What evidence or metrics are provided to you?
  • Do you have some centralized process for continuous monitoring?
• Is the target in an industry facing potential new regulatory oversight?
• What if the target is not facing new regulations, but its primary partners or customers are?
  • For example, many retailers and financial clients are now forced to do extensive risk assessments on their vendors and business partners.
• Are you prepared to deal with the cost?

Once a private equity firm or business has an understanding of their current security posture and threats, they can target their information security spend on the largest risk areas to quickly reduce the potential for a security breach. By improving the weakest links in an organization’s information security posture, it can quickly become a less-attractive target for an attacker, and a much more attractive business for a buyer.