Private equity firms may inherit data attacks from acquisitions
INSIGHT ARTICLE |
Many businesses in a variety of industries, including private equity firms and their portfolio companies, can experience data security breaches. Violations often involve the loss of customers’ personal and credit information, and many times, go far beyond the potential loss of financial information or regulatory penalties. The bad press from a security breach could equate to the loss of thousands, if not millions, of customers. In addition, the greater hit is often in the form of reputation and goodwill erosion, and the possibility of liability suits.
As a private equity firm acquiring a new business, could you be held responsible for existing ineffective security strategies, resulting in breaches within the acquired company? Further still, post-deal close, could you encounter challenges related to compromised intellectual property of the acquiring business and resulting aftermath? In a word, yes. You could inherit many of the problems from presale attacks, and be paying for these security issues for years, in the way of fines, costly litigation or plummeting revenues.
The cost of security breaches
You’ve likely read about the highly publicized data breaches prior to last year’s holiday season. These data security attacks were due to point of sales (POS) systems malware. The systems were compromised by way of a third-party vendor. The malware used to read credit card information on the POS systems copied the cards as they were processed in memory. There are, however, many more damaging avenues an attacker may take to access an organization’s critical data, like hacking into corporate bank accounts, extracting sensitive data and sometimes a business’ actual account funds. This could not only lead to compromised customer and credit information, but also devastating financial loss for a company.
The Ponemon Institute Cost of Data Breach Study in 2013 noted that the average cost of a data breach in the United States is $188 per record, and the average number of records compromised per incident was 28,765, which equates to an average total cost per breach in the United States of $5.5 million. The report also noted that there are four factors that can actually reduce the cost of a data breach per record by $41. The factors include:
- Having an organizational incident response plan in place
- Adopting a strong security posture at the time of the incident
- Designating a chief information security officer responsible for data protection
- Engaging consultants to help remediate the incident
Intellectual property concerns
A major concern for private equity firms and their portfolio companies is compromised intellectual property. What happens if you own or acquire a company, not knowing its key intellectual property has been compromised? For example, let’s say you buy a company that had the market cornered on one specific area, a unique niche in the market, and that unique niche was what made it a desirable business purchase. After the sale, you find that the very unique niche that made the company so ideal was actually compromised, due to a security breach or stolen intellectual secrets. Patents, copyright, trademarks and industrial design rights provide protection around the elements of intellectual property, yet ideas can be breached and designs stolen.
Knowing of the intellectual property breach prior to the deal closing, how would this have affected the acquisition? You may have walked away from the deal or bought the company for a lower price. A company can lose its value and competitive edge if their key intellectual property is compromised. Losses for a deal misstep like this can result in millions of dollars, and business recovery may never occur. Proper due diligence prior to the deal close is essential to uncover intellectual property impropriety or breach.
The best defense
To get started on applying protective security strategies, a simple assessment of the current state can help an organization understand their security posture, and identify gaps in their security program. Private equity firms can use this same approach in their potential acquisitions, as well. Studies show good protection can save a company up to $1 million per year, or with higher-end protection, as much as $2 million.
A business-wide and sweeping assessment can help reveal appropriate security standards, including: ISO 27001, the payment card industry (PCI), Sarbanes-Oxley Act of 2002 (SOX), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA) and more. In addition, it can uncover, to an organization or an acquiring firm, all of the ways the company may be breached. For instance, most data breaches do not happen through front-facing websites, but rather through side channels, like a branch wireless system or retail site networks. Organizations should ensure that all access to their networks and systems are managed, including third-party access.
In addition, a comprehensive assessment can identify if the acquisition target will need major funding to get itself security compliant. Frequently, when a company is trying to get acquired, they will cut all possible spending in order to make their financials more desirable to a buyer. This often includes funding cuts related to information technology (IT) security and maintenance, the very preventive needed for strong security planning. A private equity firm looking to acquire this company often doesn’t realize this financial cut until post sale. Unfortunately for the acquiring private equity, in these cases, it may take several years to upgrade the acquired company’s technology and assure proper security strategies and tactics are in place.
Questions to consider
Another best defense is pondering critical questions prior to an acquisition. Answers to these questions may make all the difference in deal negotiations.
- What is it about the target that makes it of value to you?
- Is it something that can be stolen or copied? Broken?
- How would you know if it has been compromised before you buy that target?
- How would you know if it has been compromised since you bought it?
- How are you monitoring this risk?
- Are your targets or portfolio companies doing this on their own?
- What evidence or metrics are provided to you?
- Do you have some centralized process for continuous monitoring?
- Is the target in an industry facing potential new regulatory oversight?
- What if the target is not facing new regulations, but its primary partners or customers are?
- For example, many retailers and financial clients are now forced to do extensive risk assessments on their vendors and business partners.
- Are you prepared to deal with the cost?
Once a private equity firm or business has an understanding of their current security posture and threats, they can target their information security spend on the largest risk areas to quickly reduce the potential for a security breach. By improving the weakest links in an organization’s information security posture, it can quickly become a less-attractive target for an attacker, and a much more attractive business for a buyer.
RSM LLP is an Iowa limited liability partnership and the U.S. member firm of RSM International, a global network of independent accounting, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party.
RSM®, the RSM logo, the RSM Classic logo, The power of being understood®, Power comes from being understood®, and Experience the power of being understood® are registered trademarks of RSM LLP.
© 2014 RSM LLP. All Rights Reserved.
This publication represents the views of the author(s), and does not necessarily represent the views of RSM LLP. This publication does not constitute professional advice.