Pre-investment

Utilising open-source intelligence (OSINT) at an early stage can expedite the visibility of critical risks before GPs invest further time and resources into due diligence. This is an opportunity to uncover potential vulnerabilities associated with key individuals, intellectual property, or current company practices.

The goal at this stage is to uncover hidden liabilities which could require further investment in the long term, for example a company with disgruntled employees, or prominent members of the target company who are sanctioned, disqualified officers or a politically exposed person.  

Consider engaging an OSINT specialist to gain early visibility of:

• Key stakeholders of the company through conducting digital footprint investigations
• Compromised data existing on the dark web relating to a specific company
• Legal and financial risk such as mapping of key locations associated with a target company in consideration of AML and regulatory complexities.  

Contract negotiation

For effective diligence, cyber risk should be incorporated and standardised within the deal thesis as an equal risk to others, gearing toward clear reporting and actionable results. Active cyber security investigation and review during negotiation helps determine and negotiate an asset’s value and prevents costly remediation post-purchase. Your investment should have the required cyber security standards in place and roadmap to maintain them. It is important at this stage to assess the target’s current cyber security posture across the three key pillars, technological, procedural and personnel, to uncover risks otherwise out of reach and unconsidered.

• Review company processes, policies, and procedures by way of a cyber security assessment
• Evaluate previous penetration test findings and ensure remediation measures are validated, particularly high and medium risk issues
• Consider an additional penetration test to assess company systems, software, and ultimately defence and control over critical IP and data.

Portfolio management

Investing in the cyber security defences of your portfolio company is one of the clearest demonstrations of ROI for cyber security throughout the investment life cycle. There are hard costs associated with a breach and this risk landscape is ever-changing. Risks initially identified as part of pre-investment due diligence can quickly evolve, so integrating cyber security into routine practices post investment needs to be a priority to mitigate this real risk of breach, starting with engendering a self-policing culture.  

The expansion of a portfolio company, a change of its software, renewal of an operating license or another seemingly insignificant vulnerability may become that single point of failure for opportunistic cyber attackers. Nurturing an internal security culture toward self-policing through the provision of social engineering awareness training is critical to minimise ongoing risks.  

Data management remains of course a priority in implementation of correct process and practices, as incorrect management could result in a data breach, causing considerable damage to company operations and reputation. Leaked sensitive information could be used for malicious activity, such as phishing and ransomware attacks, as well as impacting profitability and loss of market confidence.  

• Review incident response plans, ensuring immediate access to the right support is provisioned and guaranteed
• Audit current cyber security training and awareness amongst employees via effective social engineering exercises
• Develop a security roadmap to scale appropriately with the company’s commercial objectives, including regulatory and compliance requirements depending on markets, locations, partners, and product iterations
• Consider supply chain vulnerabilities: have private policies been reviewed with the right lens? Are suppliers Cyber Essentials+ compliant themselves?  
• Policy and document preparation in the event of divestiture or exit.

Your approach to cyber security within due diligence and portfolio management could well be driving toward compliance, considerate of the right regulations, but equally may fail to provide the actionable insights required to correctly model and negotiate around a target’s risk. It may also create significant blind spots within your portfolio, only known in the event of a breach, with consequences ranging from erosion of portfolio value to brand damage and loss of LP investment. Instead, if incorporated meaningfully throughout the investment lifecycle, driving real commercial consequence, cyber security can be the secret weapon of a private equity executive and your portfolio.

If you have any questions about this blog, or would like to discuss our approach to cyber risk, please do get in touch.