Cybercriminals are attacking private equity firms at what they see as a weak link — a firm’s recent acquisitions.
The reason for this is simple: Newly acquired entities often have strong cash flow and weak cybersecurity, making them entry points to companies in the entire PE portfolio.
This has put deal-making firms in a bind. They need to obtain cyber coverage for their acquisition, but insurance carriers’ stomach for cyber risks is unsettled and cyber insurance prices have skyrocketed.
However, PE firms can make it easier to obtain coverage by not omitting security protocols that can make them uninsurable, particularly when PE firms are adding to their portfolios.
Scrutinizing for cyber risks
During the underwriting process, carriers will scan a PE firm and its merger target’s cyber defenses, identifying vulnerabilities and ports of entry — and often require those risks be addressed before writing a quote.
PE firms that fail to implement appropriate risk management for their acquisitions and their company itself will be unable to secure adequate cyber coverage. Overlooking basic protections will disqualify a private equity firm from obtaining coverage, including the following:
- A lack of an intrusion detection and prevention. Firewalls are one of the first lines of defense from cyberattacks, making them one of the first security measures that insurers evaluate. The firewall should include monitoring systems that detect intrusions or violations of security policies. Without an effective firewall, there’s no chance of securing cyber insurance.
- Insufficient endpoint protection solutions. PE firms must install security software on computers and mobile devices that repels cyberattacks and prevents the installation of malware.
- No multi-factor authentication (MFA). MFA has become a minimum requirement to obtain most cyber policies. Underwriters will be checking if MFA is used in key environments such as SaaS accounts, remote network access, internal security applications and backup systems.
- Deficient email filtering. PE companies that don’t use email filtering policies and processes such as the Sender Policy Framework (SPF), Domain Keys Identified Mail and Domain-based Message Authentication, Reporting, and Conformance (DMARC) are unlikely to get cyber insurance.
- Inadequate data backup. It’s not enough to have a single backup. Firms should maintain three copies of data in two different formats. A PE firm needs these strategies to obtain coverage, especially prior to an acquisition.
- A lack of endpoint detection and response (EDR). EDR continuously monitors end-user devices to stop malware before it spreads. Insurance carriers generally avoid PE firms without EDR.
- Not having secondary cyber controls. Cyber insurance carriers want additional cyber controls such as privileged access management, as well as security information and event management tools. Underwriters also want PE firms to have controls such as network segmentation, which divides networks into subnetworks and creates firewalls between them to minimize the impact of a cyberattack.
Contact HUB International’s Private Equity experts and Cybersecurity specialists for more information on purchasing the right cyber policy for your PE firm and portfolio companies.