At a recent financial services conference, I heard a cautionary tale that bears repeating. It involves ransomware, private equity (PE), and an overall rising cybersecurity threat landscape for an entire industry.
As brief background, PE companies are in the business of buying, improving and selling companies, and are largely comprised of attorneys and accountants. Their in-house expertise lies in analyzing financials, identifying undervalued companies and structuring legal arrangements to purchase, improve and sell companies; cybersecurity is not among your average PE company’s core competencies.
From Press Release to Ransom
Typically, a PE firm will issue a press release upon acquisition of a new portfolio company, and another once they sell it at a profit (usually a five- to seven-year process). Seems straightforward, right?
Well, not quite. According to the individual at this conference, a troubling trend is emerging: Shortly after issuing a press release, the source’s new portfolio company is hit with a ransomware attack. In order to unlock their PCs and databases, PE companies will pay the ransom and work with the ransomers to restore the affected data.
It appears that ransomware hackers have identified newly bought portfolio companies as easy targets. And they’re not wrong; PE companies typically inject a large amount of cash in their acquired businesses to improve operations and maximize the value of the corporation. In other words, they have the funds to pay ransom.
Additionally, since PE is made up of lawyers and accountants, cybersecurity is not necessarily top of mind. As such, cybersecurity due diligence on target companies is often insufficient, and even sometimes an afterthought, leaving them vulnerable to attacks, the results of which can be devastating (just ask Marriott).
Caught Between a Rock and a Hard Place
Private equity firms need to issue press releases on their portfolio companies; it’s how they raise awareness in order to increase the number of interested buyers in their Equity Funds. However, these press releases are leaving a trail of breadcrumbs for hungry hackers to follow to find cash rich companies.
PE companies need to address two critical issues to fix this conundrum.
First, they need to conduct real, comprehensive cybersecurity due diligence…before they complete a purchase. The current standard of practice often involves sending a network IT employee or IT consultant to check a target company’s network connectivity and minimal security, like confirming they have a Firewall and change login/password credentials often enough. That’s about it. A comprehensive set of security checks needs to be created and conducted.
Next, after purchasing a company, PE firms need a set of standards across the portfolio to protect the value of the fund. Consider KKR, one of the biggest PEs in the world, which has a $20B USD fund for buying U.S.-based companies. A widespread hack across multiple companies in the KKR fund would cripple the fund’s value to investors.
Bring in the Experts
This story is but one example of an industry where cybersecurity is a rising threat and is not being met with adequate expertise, the long-term consequences of which can be detrimental.
I’ve said it before, and I’ll say it again: Securing digital assets can no longer by delegated solely to the IT department; it must be infused into product and service offerings, security, and perhaps most importantly, development plans and business initiatives. This holds especially true for industries – like private equity/financial services—that are steeped in acquisitions. To further quote myself, “When one company acquires another, it doesn’t just acquire assets. It also assumes the target company’s risks. Put simply, their gaps become your gaps.”
PE companies need expertise and a clear set of cybersecurity best practices. They need managed security services to help them. And they desperately need a deeper awareness and knowledge of today’s constantly evolving threat landscape.