What PE portcos can learn from high profile data breaches

Odgers Interim Head of Private Equity Solutions Ross Gordon interviews Kevin Hall, a cyber security expert at Aon who works with around 35 private equity firms on managing cyber risk in the investment lifecycle.

Every kind of business is potentially vulnerable to cyber-attack. One high profile example in recent years is the 2021 targeting of retailer FatFace (acquired by Next in 2023, formerly under PE ownership).  

Ransomware gang Conti hacked into the retailer’s systems and initially demanded a ransom of $8 million. After protracted negotiations, FatFace agreed to pay a reduced amount of $2 million. Fortunately, the retailer had a cyber insurance policy in place that covered extortion up to £7.5 million – scarily, the attackers were able to get hold of this information, including the level of coverage, as well as accessing sales databases and ecommerce site traffic statistics.    

Unfortunately, cybersecurity risks continue to mount. Cybercrime is predicted to cost the world $9.5 trillion USD this year with ransomware gangs making a “major comeback”. Moreover, 48% of organisations that faced cyber-attacks in 2023 paid the ransom.

In the PE space, portfolio companies (portcos) are often considered by hackers to be juicy targets. Portcos do not usually have their own Chief Information Security Officer (CISO) and different threats arise at different stages in the PE investment lifecycle.

Many portcos and PE investors are still insufficiently prepared for and protected against cyber-attacks. An Accenture study found that 1 in 2 of its PE-backed clients lack cyber insurance, which not only helps cover the cost of a breach but provides first response support if an incident occurs.

“PE CIO’s that have strong cyber expertise are in high demand for roles where they act as both a CIO and a CISO,” says Caroline Sands, Head of CIO & Technology Officers Practice, Odgers Berndtson. “We are working with various portcos that share the same challenges, and our deep and detailed searches are unearthing a new breed of PE CIO.”

Of course, at Odgers Interim we have access to interim leadership talent able to drive strategy development in this area and address weaknesses. We are also delighted to share some valuable insight from Aon’s Kevin Hall, an expert in cyber solutions, on how portcos can reduce the risks. Aon has acted for many companies targeted by hackers who have faced similar scenarios and dilemmas, and has a range of clients in the PE space.  

At the acquisition due diligence stage, Kevin says he has seen several deals interrupted by cyber-attacks. He recommends conducting a technical review that goes beyond the traditional due diligence focus on documentation and policies, important though this remains. “It's very difficult in due diligence because you don't get a lot of access to the portfolio company pre-signing. But there's a load of open-source intelligence you can do to gain an understanding of what types of public-facing technical vulnerabilities there are that could be exploited by a threat actor.”

Previous dark web searches have unearthed network drawings of targets, and on one occasion Kevin even found a spider graph containing the CEO’s digital footprint, complete with social media accounts including username and passwords. Some businesses can be crippled when ransomware is deployed because employees use the same password for multiple accounts and IT lack backup segmentation and other controls.

The frequency with which ransomware payments are made differs by jurisdiction and the maturity of the business, although Kevin says payments are still being made in many cases as backups are being encrypted by attackers and business are faced with rebuilding. Hackers are becoming more sophisticated and can tap into an array of dark web services, such as those that create a virtual environment resembling the target, allowing them to test and refine before they attack.

Investment Exit: A Period of Heightened Risk 

The investment exit stage is also a period of heightened risk, particularly if the portco is being readied for an IPO. “You have to be very careful around IPOs and any big transformation projects that are publicly known.”

Hackers pick up on the publicity and see the possibility of a payday, presuming (often correctly) that there is more money to be made at the time of a major transaction. The involvement of additional parties such as advisors in an IPO or trade sale also bumps up the risk. “It’s not always the target that has been breached that is the ultimate target,” explains Kevin.

Portco operating partners should also be mindful of the “people element” of cyber risk. Kevin points to one example of a CISO who rashly took to social media to brag about the high quality of the company’s cyber defences. Hackers took up the challenge, defences were breached – and inevitably the CISO was fired!

Here are some useful cybersecurity tips:

• Develop and adhere to a framework or Minimum Security Baseline across all your portcos.
• When possible, perform comprehensive due diligence of your target to understand their cybersecurity governance and capabilities, and how cyber-risk is perceived and managed in the business.
• Engage a Digital Forensics and Incident Response (DFIR) provider that allows your portfolio companies to act quickly in the event of a qualified incident. 
• Understand what the financial impact would look like in the event of a successful cyber-attack, so that you can measure and create a plan to appropriately reduce risk across the entire portfolio.
• Be doubly vigilant during an IPO process or at other high-profile moments in the investment lifecycle.

Cyber-attacks that cause customer data breaches must be handled with great sensitivity.  Returning to the example of FatFace, an undisclosed number of its customers had their personal data compromised, including names, email addresses, address details and partial payment card details.

Guidance for those suffering an incident includes:

• Identify and engage external legal counsel to ensure the breach is handled under attorney-client privilege,
• Contact your incident response team - assuming this is an external partnership. If one does not exist, then legal counsel and/or the broker will have a panel that best supports the insurance carrier's needs.
• Contact your cyber policy broker to help notify the insurance carrier, ensuring compliance with the policy.

Our guidance for those suffering an incident is:
1) Identify and engage external legal counsel to ensure the breach is handled under attorney-client privilege,

2) contact your incident response team - assuming this is an external partnership. If one does not exist, then legal counsel and/or the broker will have a panel that best supports the insurance carrier's needs.

3) Contact your cyber policy broker to help notify the insurance carrier, ensuring compliance with the policy.