Why Private Equity Funds Must Pay Attention to Ransomware Attacks at Every Phase of Their M&A Investment Lifecycle

More and more businesses are getting blindsided by sophisticated cyberattacks as the threat landscape continues to evolve. According to a recent cyber threat report released by SonicWall, 2021 was the worst year on record for ransomware attacks, with a 105% increase over the previous year. The Private Equity industry has not been immune. In fact, the industry has experienced a heightened level of awareness and sensitivity around ransomware attacks, particularly in the context of mergers and acquisitions (M&A). These attacks have broad implications for Private Equity funds since they threaten not just the funds themselves but also their portfolio companies, as well as their would-be acquisition targets. This trend clearly points to the need for enhanced and proactive planning on the part of funds during each of the acquire, optimize, and realize phase of the investment lifecycle.

What Does a Typical Ransomware Attack Look Like?

Ransomware is a type of malware that is designed to infiltrate online systems. A ransomware attacker typically encrypts compromised files and then demands a ransom payment for access to the information, which can often contain sensitive customer data.  In some cases, if the victim does not cooperate with payment demands, further extortion attempts are made through the public disclosure of stolen information or distributed denial of service attacks (DDOS).

Organizations that are not prepared for a cyber-attack will often pay the ransom because it is the easiest and fastest way to handle the situation. In other words, the attacker usually has the advantage—selecting when, how, and who to target, typically when they are most vulnerable. These types of attacks have impacted all sectors from manufacturing and financial services to technology, healthcare, and beyond.

Why Companies Involved in Private Equity M&A Are at Risk?

Companies involved in M&A may be particularly vulnerable to ransomware attacks due to several factors, which include:

• Publicity: Mergers and acquisitions are an important step in the lifecycle of a company, and a public announcement can raise a hacker’s awareness of an opportunity to institute a well-orchestrated attack.
• Time sensitivity: Acquisitions are executed on a set time frame with pressure from investors to stay on schedule. A ransomware attacker could use this as leverage to receive a ransom pay out from transaction parties who are motivated to keep a deal on track.
• Access to capital: Ransomware groups will target Private Equity funds and their portfolio companies because of known levels of sensitive information contained within the IT environment. Cyber criminals recognize that a company backed by a well-funded Private Equity firm is more likely to pay a ransom as compared to one that lacks the financial backing of a sponsor with the means to pay and an aversion to negative publicity.
• Less controls: A target may have less robust cybersecurity measures in place—which is particularly likely in the case of middle-market companies—making them more vulnerable to ransomware and other types of cybersecurity attacks. M&A activity also introduces added risk because it is a time of transition and general hyperactivity where transaction parties may not be adequately focused on cybersecurity threats.
• Investor expectations: Post-transaction economic expectations can also be a leverage that favors a ransomware attacker. A company newly acquired by a Private Equity fund is expected to meet financial commitments to its new investors. This gives an edge to the attacker at a particularly sensitive time.

While target companies are typically the focus of ransomware attacks, it is equally important for Private Equity firms to establish benchmarks to properly identify and mitigate threats in their own operations. During a Private Equity transaction, the firm is in regular contact with the acquisition target—sending emails, sharing files via shared file systems, etc. One piece of embedded malware in these exchanges is all it takes to unleash a consequential attack.

Cyber Insurance Protection

Stand-alone cyber insurance can provide buyers with additional protection against unknown cyber risks. Cyber insurance, very generally, is insurance that provides coverage for some of the many risks that arise out of the use of computers and other digital devices or networks, such as data breaches and ransomware attacks. Although the specific coverage provided by a cyber insurance policy varies from policy to policy, cyber policies generally provide coverage for both first-party claims (claims seeking coverage for losses sustained by the policyholder) and third-party claims (claims seeking coverage for liability to a third party).

A cyber policy typically provides coverage for certain expenses incurred by the policyholder as a result of a data breach, including costs incurred to investigate and remedy the breach, as well as costs incurred to notify potential victims of the breach. A cyber insurance policy also generally provides coverage for a policyholder’s liability to third parties arising out of the data breach. In addition, many cyber policies provide coverage for business interruption losses and cyber extortion payments (among other things).

What Measures Can Help Reduce These Risks?

To help counter these threats, it is important for Private Equity funds to obtain a full understanding of the risk landscape in the pre-deal due diligence process. Every transaction presents a certain level of inherent risk—which is a combination of all the risk factors involved.

Once there is a clear picture of those risks, targeted controls can be implemented to bring them to an acceptable level—also known as residual risk. If, after an initial assessment, the residual risk level is still deemed too elevated, then more control measures can be implemented.

These control measures can be straightforward and relatively painless to implement—which is the kind of work we do for clients on a regular basis. An example could be something as straight-forward as enabling multi-factor authentication on critical systems or as complex as designing intricate architecture or network segmentation.

Additional processes and procedures that can help mitigate risk include the following:

• First and foremost, a Private Equity fund undertaking an acquisition requires a documented risk management process, both at the fund level, as well as at the target company.
• Having a diligence process in place that adequately reports back the cybersecurity risk maturity level of the target is critically important.
• To help lower residual risk, organizations should collectively look at a project risk plan that outlines short-term, long-term, “must-have”, and “nice-to-have” execution strategy goals.
• Once the acquisition closes, the project risk plan should be executed on a schedule that helps to bring the residual risk within expectations on an agreed-to timeline.
• Finally, a proper incident response protocol is essential to have in place prior to an attack. With this in place, an organization can actively design their systems to look for threats and know how to respond in case of an incident, while also helping to achieve a higher level of assurance with respect to any future threats.

How Cherry Bekaert Can Help

The cybersecurity environment is not getting any simpler and the increasing potential for a private equity-involved ransomware attack adds further risk and complexity. The issues are compounded when you consider that these threats touch all sectors and that each organization, no matter its size, has unique risks depending on its structure and culture.

Our Cybersecurity & Information Assurance practice helps organizations address cybersecurity risks and related third-party contractual requirements using customized risk management solutions, industry insights, and innovative automated tools tailored to meet your objectives. We provide services to support the full lifecycle of your risk management needs including:

• Cybersecurity & Privacy Advisory/Attestations/Certifications
• Cybersecurity Risk & Technical Assessments
• Managed Cybersecurity Services

Cherry Bekaert provides guidance and support that helps our Private Equity clients protect their investments while achieving organizational goals. Our professionals understand the Private Equity landscape and the risks they are facing. Contact us today to learn more about how we can help.