By Arturo Perez-Reyes and Patrick Bourk, HUB International
Criminals are targeting private-equity firms, because they have valuable assets, trusted connections and money on hand. These firms are vulnerable now, because they are working remotely, leverage online services and use few IT professionals. Successful attacks result in extortion, interruption and loss of secrets.
PE firms are especially vulnerable because they have extremly sensitive information from portfolio firms via mail and file-sharing sites that’s often highly confidential. If a single company in a PE firm’s portfolio is vulnerable to cyberattack, the entire PE firm’s network could be at risk.
Performance first, cybersecurity second
Although PE firms have prioritized deal performance over cybersecurity, they are now reevaluating that equation. In 2020, 51% of global businesses were targeted by ransomware. Ransomware costs are expected to reach a record $20 billion this year. Global losses from cybercrime grew to $1 trillion in 2020.
And yet, as many as 78% of organizations do not analyze cybersecurity during acquisition due diligence. Fewer still actually put boots on the ground to test a target’s claims about security.
Any lack of diligence could give rise to unexpected losses and to a diminishment of value. For example, Yahoo’s security failings soured its acquisition by Verizon, leading to a loss of $350 million. And if investors and managers don’t care, insurers do. Insurers closely examine the cybersecurity of acquisitions and punish weakness with narrow coverage and higher premiums.
And you know who else cares? Bad guys. As soon as a PE firm announce acquisitions, they get a bullseye because large amounts of money will change hands and it all has to happen on time.
Coverage limits matter
Unfortunately, most firms underinsure and compound that error by benchmarking against other uninformed firms. The result is the blind leading the blind aided and abetted by witless brokers. In examining SEC filings for the breaches at Target, Home Depot, and Anthem, it is revealed they all bought into benchmarking limits of $100 million that had nothing to do with a ground-up analysis of risk. As a result, they suffered respective losses of $292 million, $289.5 million, and $365 million. In sum, they were 75% underinsured.
Thus, PE firms need to do diligence on potential losses and appropriate limits when acquiring companies as well as when managing portfolio firms. Here is a list of considerations:
Privacy. A portfolio company usually houses more personally identifiable information than the PE firm. Each business should consider a ground-up analysis and both its board and the PE firm should make sure that this risk analysis is thorough and realistic.
Ransomware. Although ransomware payments now average $233,817, the distribution of demands is highly skewed. There are several active campaigns making individual ransom demands of $20 to $30 million. Thus, firms should focus, not on central tendencies, but on low frequency but high severity of events.
They should also be prepared for worse outcomes like never seeing their data, or being extorted multiple times. Last year, 75% of companies reported ransomware attacks. Half paid the ransom. But only 60% got their data back. And some saw second and third payment demands.
Regulatory fees. PE and portfolio firms need to know what kinds of data they each possess, as well as the regulatory requirements and pertinent fines where the data is domiciled. For example, if a U.S.-based company holds data on Europeans, they fall under General Data Protection Regulation (GDPR) which can lead to regulatory fines of up to 4% of the company’s global annual revenues, or €20 million, depending on which is bigger, if there is a data leak.
Vendor risk. Value chains are a growing threat vector and source of loss. PE and portfolio firms need also to do diligence on vendors and providers for three reasons. IT vendors are being targeted by criminals and nation states (for example, Blackbaud, SolarWind, and, recently, MS Exchange). Second, privacy laws like GDPR, CCPA, and FI regulators obligate data owners to do diligence on data processors and hold owners responsible for the losses of providers. The CapitalOne breach, for example, was caused by a disgruntled AWS employee but resulted in a $90 million fine against the bank.
Finally, cyber insurance covers breaches caused by vendors with whom the insured has a written contract. Policies do not cover breaches caused by a sub-contractor with whom the insured does not have a contract. Hence, you will not have coverage should your SaaS vendor suffer a breach caused by a PaaS provider like AWS, Azure, or Google Cloud.
Cyber owner-controlled insurance policies
Although some brokers might suggest a collective policy for a portfolio that requires every firm to pay for the exposures of the riskiest or the sins of the weakest, it’s not necessary. Portfolio firms have their own property and liabiltiy policies, so they need their own underwriting and claims history. A better approach is to present a portfolio as an opportunity to one insurer and demand better terms from economies of scale.
In that vein, there are new products that can do the same within a firm. As noted above, vendors and providers bring great risks. Few have balance sheets that can back indemnities. And the smaller ones have weak to non-existent coverage for cyber and professional services. The solution is an owner-controlled insurance policy (OCIP). The insured places a policy into which vendors must buy. As a result, every vendor has sufficient limits and breaches do not turn into circular firing squads.
Contact your HUB Private Equity and Cyber expert for more information on purchasing the right cyber policy for your PE firm and portfolio companies.
Sophos, The State of Ransomware 2020, May 2020.
PurpleSec, “10 Cyber Security Trends You Can’t Ignore In 2021,” December 31, 2020.
Washington Post, “The Cybersecurity 202: Global losses from cybercrime skyrocketed to nearly $1 trillion in 2020, new report finds,” December 7, 2020.
RSA, “Why a Cyber Risk Assessment Is Essential for M&A Due Diligence,” October 18, 2016.
Bank Info Security, “Yahoo Takes $350 Million Hit in Verizon Deal,” February 22, 2017.