Podcast transcript: How cybersecurity creates value in PE

30 min approx | 12 August 2021

Winna Brown

You’re listening to the EY NextWave Private Equity podcast. I’m Winna Brown, and I’m your host.

Feels like it’s hard to turn on the news these days without hearing about the latest cyber attack, and private equity is certainly not immune to this growing threat. Today, I’m delighted to be joined by Paul Harragan, EY-Parthenon’s Associate Partner, who leads information security and cyber defense for pre-deal and portfolio companies across Europe; and John Nugent. John has over 13 years’ experience working in cybersecurity and is currently the Vice President at Apax Partners covering technology and cybersecurity in their operational excellence practice.

Recent ransomware attacks have made big headlines, but I’m assuming that these are really just the tip of the iceberg, given I know how busy you’ve been. Can you give us an idea of how often these types of attacks are really happening?

Paul Harragan

If we look at the statistics from Verizon’s data breach investigations report over the past two to three years, the numbers actually are pretty consistent. Even though attacks are happening all the time, they haven’t actually grown, they haven’t shrunk, they’ve stayed pretty consistent. However, in 2021, what we have seen are some pretty major attacks that have hit the headlines. We’ve seen a surge in ransom-run attacks in 2021. An actual increase by 93% over the same period last year where large, big-branded companies are being held ransom, owing millions and millions to restore back to their normality. We’ve also seen a rise in supply chain attacks. There have been several credible suppliers that have fallen victims to this form of exploit which has left their customers with immeasurable losses. This is one of the reasons why cybersecurity diligence in the M&A process is so important for investors gaining that early understanding of the supply chain, and third-party dependency risks are crucial to understanding the overall risk position of an investment.

Brown

In your recent article that you published about why PE firms should pay more attention to cybersecurity, I think you outline that, traditionally, PE took a less rigorous approach to cybersecurity. So, do you think that all the activity in the market and all the penetration that we’re seeing in the headlines, do you think that’s what influenced the changing attitude, if you will, of private equity in terms of trying to deal with these attacks?

Harragan

I think that the press around all of the disruption, all of the costs, all of the potential lawsuits that are facing companies has definitely hit the boardroom and hit the agenda topics for risk controllers of Portcos. Two years ago, cybersecurity risk wasn’t really a headliner. And, of course, there were private equity firms out there that did still look into cybersecurity risk and information security risk; however, it wasn’t as big an exercise as it is now. A lot of private equity firms are now mandating an information security and cybersecurity assessment pre-deal; if not pre-deal, signed to close phase of a transaction and then managing that risk throughout the whole period is vital for them. So we’re definitely seeing a lot more investment in this area. Whereas, take Apax, for example, with John. So John has been brought into Apax within the last year because of the investment and the focus that’s got to be taken into private equity.

Brown

So, John, given what Paul’s just outlined, how do you approach assessing and mitigating cyber risk when you look across the Apax portfolio, because there’s a lot of companies to think about in different sectors with different stages of growth? What’s your approach?

John Nugent

I’d love to say that our program was now fully formed in the 9 or 10 months that I’ve been at the business, but it is very much a work in progress. What I’ve started to set in motion here is really a three-pillared approach built around, for one, minimum baseline control standards that we expect all of our portfolio companies to either have in place when we invest or to actually put in place during the course of our ownership. And then, secondly, we have a monitoring strategy there as well. So, we use a recognized third-party or vendor risk management solution that provides us two things, one of which is continuous security hygiene monitoring. The other is the ability to issue questionnaires to our portfolio companies to understand what controls they have in place. So we wanted to use the second piece really to annually gauge our portfolio companies’ security maturity, including whether they’ve already met those minimum standards that we’ve set out, but also to quarterly check progress against those key gaps and identify any new risks or incidents that have been taking place. And really the third piece, and I think this is absolutely critical, especially to drive buy-in from the Portcos for the wider program, is support. So establishing a security community of interest in the portfolio, getting people working together to form some semblance of collective defense approach, establishing a robust partner program. So working with best-in-class security advisory firms and technology providers, that leverages Apax’s scale. And then defining and delivering centrally through our operational excellence practice, but also through key partners, you know, tools and advisory support to help our Portcos both meet and exceed those standards that we’re expecting of them. That’s really our approach. It is a work in progress, but that’s very much what we’re striving toward.

Brown

When you apply the three-tiered approach as you described it, are there certain characteristics of some of the Portcos that kind of stand out, that make them a more attractive target than others to a hacker, or is it simply a case of setting your strategy and your lines of defense irrespective of the company itself?

Nugent

The way I’d answer that is to say that it kind of depends on the nature of the attacker, and I’m sure Paul will add to this, but, if we’re thinking about cyber criminals, typically the characteristics that might spur a greater intent to target the business could be that it holds transfers or processes monetizable data. So payment card or personally identifiable information. It’s observably exposed. So, for instance, it has readily exploitable vulnerabilities in its public-facing assets, it frequently transfers or holds large sums of money, or it’s got a large and critical web presence that’s really fundamental to what it does and how it generates revenue. In the case of nation-state attackers, the characteristics are going to be more along the lines of whether the business has really sought-after intellectual property or conducts extensive research and development, has access to sensitive strategic or commercial information, operates in a strategically significant sector, or if it could be a through-vehicle or a conduit to other more interesting and high-value targets. And then, lastly, in the case of cyber-activist groups, which can also be nation-state-linked, of course, you’re really looking at whether the business has direct or strong ideological connections to a particular country, is associated with a single issue perhaps; I mean it could be any number of single issues, either in isolation or in a collective sense, but banks frequently get targeted under the banner of anti-capitalist campaigns, oil and gas companies under the banner of environmental operations, or it could even just be response to particularly newsworthy stories that a company inadvertently gets wrapped up in. So, I think in terms of the intent piece and why an attacker may target a business, it very much depends on the characteristics of that business and, to an extent, how easily exploitable it is.

Harragan

I’d agree with everything you just said. I think there’s two approaches that’s taken. Firstly, there’s the targeted attack, which is very much a NATP group, particularly want to go after a business for ESG, or financial gain, or some sort of money-related activity that they want to extract data and sell it or they want to hold the company ransom by paralyzing its services. The other type is a very much automated-driven attack, where robots are out there doing their own thing and they’re setting to the wild and they will spread across the internet and they will take hold of vulnerable assets, as John said. Once those bots take a foothold somewhere, then those groups will then go in and try and get a proper foothold into the business and do whatever they want to do in terms of trying to gain either financial gains or whatever purpose they have.

Brown

Feels like it’s almost impossible to defend yourself against cyber attack. Is there a gold standard around cyber defense? And what does that look like in the PE world?

Harragan

There’s no silver bullet, of course. For me, I would always want to be on the side of not being negligent. Every company out there has a responsibility not to be negligent when it comes to information security and cyber defense. As we’ve seen over the past few months, there is no silver bullet, especially when it comes to third-party supply chain tax. We put a lot of faith in our third parties that we invite into our companies, and we use their resources, and if, for whatever reason, they become susceptible, there is no defense line against that. But that’s the risk that you have to onboard. Now, what companies need to realize is it’s their preparedness that is the key factor here, so how they would react to an event is very much the solution that needs to be put in place. So that if an attack were to happen that will disable the business, paralyze the business, leak data, they can act in a timely manner, get services back up and running without having to pay into criminalized activities. That, for me, is what customers want. It’s what the regulators want. It’s what the insurance companies want. Just to put this into perspective, I read a report earlier on today, which was released by Marsh last week, that cyber insurance actually increased in cost by 57% over the last year. So there’s a huge focus on companies having to pay out because they’re not prepared, and that’s what we’re seeing. From a private equity perspective, if you didn’t want to be spending loads of money on trying to fix the problems retrospectively, it’s much wiser to invest your money proactively and make sure you’re best prepared for when, not if.

Brown

Can you give us an idea of how much a breach can actually cost, like to defend and then to mitigate repair and even prevent from occurring. I guess I’m just thinking at some point, there’s got to be a cost/benefit, because you can be prepared to the nth degree, but at some point that doesn’t become a reasonable outcome from a financial perspective.

Harragan

I’ve been on several IR calls this last month. All have cost different outcomes, not that I’m going to go into each or any individual party, but it would depend on how severe the attack is and then how far it’s spread and what the outcome is. So if it gets to a point of ransomware, typically there’s either a solution of paying the ransom, which some companies do. I mean there is no other choice other than to pay the ransom, not that I agree with it, but they have no other choice; or there is a whole responsive cost around rebuilding and accepting regulatory fines, customer loss – that’s one of the big things that you cannot quantify, customer loss. How do you even put that into an algorithm to calculate? It’s very, very difficult. That’s why, when we say it’s best to be prepared, so that if an attack were to happen, you already know that you haven’t got to have a full-out cost. We’ll just go into a repair function, and you can restore, you can get everything back, and hopefully, your customers can get in a place where they have that much trust in you. And I’ve seen the attacks before, in the past, with JP Morgan. This was all the way back in 2013, where JP Morgan were breached, and it was how they handled the breach that actually led them to getting more customers.

Nugent

Paul, I think you actually raised a really interesting point before around the challenge associated with quantifying opportunity costs. Yes, there’s the costs that you mentioned helping customers deal with in your incident response work and your lost income, fines relating to failure to meet SLAs or other contractual commitments, legal action from the regulator or individuals, ransom pay, cost of response from remediation system rebuild and all that other stuff; but there’s the opportunity cost around potential derailment of strategic initiatives as one example or off the back of the cost impact of the broader incident and the remediation work, spending freezes for other, what could have been revenue-generative programs. For PE, one of the worst impacts I’ve actually seen, and I really want to stress at length that this is not in my time at Apax, and it wasn’t involving an Apax company. It was around a degraded sale price following an incident. So, in this case, the business in question suffered a ransomware instant during a period in which a transaction was being discussed, and it was, you know, towards the latter stages of negotiations. And because of that ransomware infection and the impact of that, the company was rendered entirely unable to deliver its core services for, I think it was around a month to six weeks. Now, not only was the cost of that remediation significant, but the buyer then demanded a 35% reduction in the price, which equated to upwards of US$100,000,000. So, as you think about the potential costs of incidents, if you’re trying to quantify that in advance, things like that are very hard to proactively gauge. It just shows you the magnitude of the potential impact, particularly if an incident comes at the worst possible time.

Brown

If we think about the context of PE and the example that you just gave, when PE is now doing due diligence on a potential target, is it part of the regular process today for cybersecurity due diligence to happen, and what are some of the red flags that potentially come up that could impact the valuation of a target?

Nugent

I think it’s increasingly becoming standard. We’ve definitely been on a journey, in that sense here at Apax, I think it is very much becoming commonplace for us. I think that’s also true of the broader industry, at least with some of our peers. In terms of red flags, it’s actually a really difficult question because, ultimately, it’s very rare in my experience for security issues to kill a deal, unless they’re really the final nail in the coffin and the deal team was souring on the investment anyway. With that said, the areas that always deeply alarm me, and these are super basic, but I always get very freaked out when I see that they’re not in place, are things like endpoint protection, regular security testing, perhaps more critically, and this speaks to Paul’s point around being prepared to respond and just assume the worst, a lack of monitoring and detection and incident response preparedness. I’m like, oh my God, okay, this really does start to worry me. Because frankly, my perspective is that, if the attackers have the intent and sufficient capability, incidents are somewhat inevitable because no company at all is impenetrable, as the last year’s really underlined. And if you’re not able to see the attackers get in and are clueless on how to respond, then, when you do eventually get burned, it’s going to be doubly catastrophic whether or not you get lucky in the short term by not investing in that preparedness in advance.

Harragan

I would also add that, whilst you have that lens, there’s another lens that I always take with regards to my approach, and that’s on a timeline basis. I often look at red flags, especially when dealing with pre-deal as I want to know what’s happened in the past, I want to know what’s happening right now, and I want to know what’s happening once that capital’s been deployed. Because whilst the historic view is important from a data protection perspective, the present is important because you want to know what they’ve got in place right now. The future is probably the most important bit because, once the deal thesis is realized and the investment hypothesis is put into play, capital gets deployed, it will evolve the threat landscape of the business in some way, shape or form, because that money typically goes into a new service line or it typically goes in to enhance, maybe new geographical location, whatever. It’s really, really important to understand the cybersecurity risk for the future, because, whilst you may deploy 150,000,000 into a new service line, if you haven’t got in place the right security mechanisms to protect that new service line, that may cost you another £100,000, £200,000, £300,000. All of that risk needs to be embedded into the cost model going forward because that’s often missed. And typically, when we do portfolio reviews as we go through the journey and the hurdle rates are hit through the life cycle, we see demands always being pulled onto cybersecurity budget because they’ve not been prepared for.

Nugent

I think that’s a fabulous point, Paul, actually, and that’s one of the key things we really try and get a good handle on as we’re onboarding portfolio companies. Because, to your point, the shape and contours of that business can change fairly fundamentally off the back of a significant investment, like will often come from PE, and so, we really work with security leaders, should they have those, which is not always the case, of the portfolio company to try and gauge how they’re thinking about the future, how they’re thinking about capability development, how they’re thinking strategically or otherwise about systematically improving that capability, and also how that’s aligned to the business plan. What’s the business plan saying that could introduce new risks if that was executed, and how are those risks being communicated to you as a security leader, and what action are you going to take off the back of those? We are really increasingly focusing on being methodical about the way in which we have that strategic conversation with the security leaders in the Portcos.

Harragan

From a pre-deal perspective, it’s so difficult to find that strategy information, because, often, the security guys are not even in the tent, they’re not in the insider list for the deal. So, of course, they’ve not thought that far ahead, and, therefore, it’s completely missed off the term sheets.

Brown

To that point, do most companies that you’re evaluating and most companies today have a security leader and it’s just a case that they’re not under the tent, or do many of them, it’s not really a dedicated person, it’s someone who’s got three or four titles, and cybersecurity just happens to be one of the areas that they look after?

Nugent

For me, it depends massively on the size of the business. There’s a lot more double-hatting than I’d like across the board, but, for our enterprise-grade investments, there’s usually a named individual; whether or not they also have hidden broader technology responsibilities or not often remains to be seen. But for our smaller, more venture-size investments, it’s often fairly rare for them to have a named security individual or a security team, unless they operate in a sector which is observably high risk and faces a pretty regular stream of attacks.

Brown

Do you find that the portfolio companies that you work with welcome you and your team with open arms and are really embracing the future state and thinking about cybersecurity from a go-forward perspective and strategically?

Nugent

That’s a loaded question. A great one. I think it varies, and a lot of that is dependent on personal approach. It’s unavoidable. You will experience some resistance, particularly if you’re dealing with extremely experienced security leaders for whom this isn’t their first rodeo. They’ve had PE investment before. They’ve possibly been fully owned by a strategic before. They may take umbrage, at least initially, to having to have that conversation again about their security program and, again, about how they’re going to invest their security budget in the year ahead. To put my former consulting hat back on, it’s really being able to show through the program that you have in place at the PE house and everything you’ve worked to establish that you can add value and that’s the key thing to show them. Because if you can be helpful to them, those barriers start to get eroded pretty quickly. It’s a mixed picture, but I think I get more buy-in than antipathy.

Harragan

Yeah, I think his thoughts of frosting. Once they realize that you can help them secure a business case and secure budget for actually what they want to achieve, everyone gets on board, as long as there’s money for it.

Brown

To that point, how are you finding boards reacting to cybersecurity, and what level of awareness do boards seem to have these days? Because clearly, it’s in the headlines, they would be looking to mitigate risk and think about strategic opportunities. Are they pulling you in to report on cybersecurity? How are they approaching it? And are you finding added scrutiny by boards around cybersecurity risk?

Harragan

I get brought in typically in a reactive state. The board just wants everything back to normal before an incident were to occur. Funding is never really an issue. It’s more of a case of “just get it fixed. We want as little disruption as possible.” Doing portfolio reviews, board buy-in has definitely grown in the last year. I think that the security awareness and ESG awareness has definitely hit the agenda. It’s definitely an agenda topic now, and people realize that security is a threat and everyone’s open to it. Funding and budgets are put aside; however, they often get taken to the backseat if there’s another initiative that takes precedent. I think, overall, it’s definitely going in the right direction. We’re seeing positivity from funds; we’re seeing positivity from Portcos. I think everyone understands that there is a huge risk out there and everyone’s open to it, be it a small venture, be it the big corporate enterprise conglomerate; everyone’s available to attack.

Nugent

Paul, on the topic of risk quantification, I got an interesting discussion with someone the other day and they were kind of of the view that, whilst everyone wants to financially quantify cybersecurity risk, nobody is really going into it wholesale or fully buying into it and actually deploying end-to-end, that type of thinking or approach. What’s your take on that? Because, for me, I think we’ve had this discussion a few times in the past, like, if I can show to my deal teams that I am systematically reducing our level of financial cybersecurity risk exposure, it’s like finding a unicorn. But I’m not there yet. And I just wonder the extent to which you’re seeing that with either PE houses or more broadly as an approach that’s becoming commonplace.

Harragan

I think the question you’re asking, is, how can cyber be added as value creation rather than just the cost, right, so …

Nugent

That’ll be the unicorn plus another unicorn frankly, but yeah, go ahead.

Harragan

Because I often like to think that we do add value, but it’s difficult to put a financial benefit line on that. Where I think that we do really add value is that we are protectors of the bottom line, really. If you can demonstrate at the end of your whole journey and you’re just coming towards your exit period, if you could demonstrate that you’ve actually invested in security, you’ve protected the domain, everything that you’ve done has enhanced the product in some way that you’re trying to sell; you’ve got to be in a better place than when you started. If you were suffering incidents as you go along, you’re going to be eroding and eroding and eroding that value. Cybersecurity means nothing really these days because it’s a term used to cover over a lot of different subjects. You’ve got two different rule areas for me. You’ve got your information security, and you’ve got your cyber defense. So, from an information security perspective, customers, clients, your own internal staff – that needs to be protected. Value creation, as long as that stays protected, you’re enhancing the value of the business in my opinion. Cyber defense-wise, okay, you can invest a lot of money in protecting your defenses, even monitoring, and you can often show that, based on firewall logs and SOC monitoring analyst accounts, you are being attacked left, right and center all the time, and you’re defending and you’re defending and you’re defending. So there is a risk metric, though, that you could say, if that function wasn’t there, the company would be subject to XYZ. Therefore, this investment is protecting this amount of asset, this amount of value. So, when you come to exit, if you’re in your best state possible, I know, from a buyer-side perspective, I find it very difficult to argue if someone’s showing evidence of five years of great cybersecurity practice.

Nugent

It feels like the core focus for us is, in essence, value preservation. Trying to preserve the value of the business for as long as possible without suffering an incident. And then the other piece that I emphasize when I have conversations with deal team members as a particular asset’s coming up for a potential exit, either through sale or IPO or whatever it might be, which is around illustrating the security value story. And what I mean by that is the work that they’ve probably done with the broader business, to your comments earlier, entering new geographies, really beefing out the sales and marketing function, bolting on new businesses that are value-creative and generate further revenue; all of that is clearly driving value, but if you can show in a really rigorous and considered way that that value has been created securely in a way that has considered security right from the outset, that is also a powerful message, because you’re saying we’ve preserved the inherent value of the business throughout our ownership, but also whenever we’ve done something new, interesting and exciting, security has also been a part of that as well. So I think it becomes a doubly resonant message to buyers if you’re able to tick off both bases.

Brown

So, gentlemen, what I’m hearing is there is an opportunity for value creation and value preservation, but also demonstrating that having the defense in place allows you to reach and attain the growth more effectively because you’ve been able to keep hackers at bay. A question. It feels like the hackers that are attacking businesses are becoming more sophisticated, and they’re trying new means and different ways. Is there a trend here where companies not only need to defend, but they also need to stay ahead of what could be new and different ways that cyber attackers are looking to penetrate businesses? And what actions should a PE take right now to prevent a breach in the future when you don’t even know what’s coming, because they’re getting more and more sophisticated?

Hannagan

So we have this question a lot from our clients. For me, understanding your threat landscape is probably one of the most important things you can do as a security leader. Because it enables you to understand what you’re trying to protect. From a future perspective, I appreciate that’s quite difficult. So, your threat intelligence platform, that you may or may not have, is really, really important here. Because you, as a security leader, will understand what your business is trying to achieve in terms of its strategic goals for the next three to five years. So, you can understand that part from that journey. Now, whilst we don’t know what the cybersecurity risk is going to be in the next three to five years, the threat intelligence teams do have an idea based on trends and researchers trends, you can put together a plan on how to protect yourself. Understanding your threat landscape for now is super important because that builds the foundations of where you’re going to be in the future. There’s a famous saying: you can’t protect what you don’t know you control. So if you don’t know what you control, how you protect it? So, understanding who’s interested in you and why, what’s valuable when your business is really, really important. Where you operate, you may have a huge function coming out of America, but you may have one small satellite office in Peru, and Peru may be the target, and maybe the entrance point which causes the whole business to be paralyzed. So understanding that threat landscape for now and what it may be in the future is super important.

Nugent

I think you made a great point in passing there, Paul, which was around understanding what’s important. And I think that is so fundamental, along with the threat piece, which feels like people have been talking about threat-informed defense for 20 years, and, yet, nobody’s actually found a way to do it fully effectively, but the threat piece, coupled with understanding what is genuinely business-critical and adopting security controls and measures that align specifically to protecting what is most important and monitoring that, and being able to respond to attacks that affect what is really business-critical is, for me, fundamental. And I guess the way in which those attacks might manifest will change over time. And so I think there’s a couple of things that I would call out as key to almost trying to get ahead of the attacks that you’re likely to face, one of which is making sure that your security function, or at least your security leader, is fully clued into your technology strategy in the broader business plan so at least he or she has a really clear vision of how the business is going to change and what shifts there might be in the attack surface. What additional ways there could be for in a potential assailant to get in. And I think the other bit is really to make sure, beyond that alignment with the technology function and CTO, your CIO, that the security leader and the team as a whole is doing that horizon-scanning work. So, really being militant in trying to understand the ways in which new technology could generate new attack vectors and mapping that right back to the threat landscape as it stands today and as it’s projected to change to Paul’s comment.

Brown

Well, gentlemen, thank you so much. This has been an extremely enlightening conversation, and so many valuable pieces of insight and advice for our listeners. One of the big themes that I took away though, notwithstanding thinking ahead and trying to get ahead of the potential vulnerabilities in businesses and always making sure that you’ve got those lines of defense, really importantly, companies need to have a plan in case they do get attacked, and that plan makes the big difference between how you either end up with a really big problem or a problem that you can contain and address and, hopefully, mitigate the outcomes or potential negativity around the attack. So it may eventually happen, but the proof will be how you handle it.

Harragan

Nailed it. Love it.

Brown

Excellent. Guys, thank you so much. Really loved having you on the show and really appreciate your insights and your time.

Nugent

Thanks very much.

Hannagan

Real pleasure. Thank you.