M&A Roundtable: What are the “Must Haves” for Every Portfolio Company When it Comes to Cyber?

Johnathan Gilbert (00:11):

Thank you everyone for joining. You're now listening to part three of the M&A podcast series focused on cyber security and technology risk management, both pre-acquisition and post-acquisition. The final part of this series will focus on portfolio company risk management. Today we are speaking with Chad Neal, who leads Alliant's cyber security and technology pre- and post-close service offering. Along with Chad, is Michael Dolezal, who's also a senior member of the team with Chad based out of our Chicago office. And today, again, we're going to focus on portfolio risk management. You know, what should Private Equity firms do after they own a company to continue to monitor and improve a portfolio company's cyber security risk posture over the life of their investment and considerations to take into account both from add-on acquisitions, organic growth, geographic expansion, and things like that. So, there's a lot to unpack here and so excited to dive in with Chad and Mike on this exciting topic in today's world. So, Chad, turning to you, you know, how has portfolio company management of cyber changed in the Private Equity landscape over the last, you know, three or four years?

Chad Neale (01:23):

Great question, John. It certainly has gone through quite the evolution. You know, I've been focused on this market for, you know, six plus years and when I first was coming on board and evangelizing the need to bring cyber security to the portfolio companies and you know, as part of the overall investment life cycle, there was a lot of interest from the Private Equity firms about cybersecurity and the kind of threats that were targeting companies broadly. But at that time, while they were very interested in learning more, very few were doing very much about it. And that could be said both on the pre-deal side from a due diligence standpoint, I would say even more so at the portfolio company level after they acquired the company. And if you recall back then it was very much a hands-off culture that PE firms would bring to their portfolio company management.

You know, they would basically allow the portfolio companies to make their own decisions around cybersecurity and they trusted that those were, you know, part of the everyday operations of the company. And what's happened, I'd say really, you've seen a change probably over the last three and a half years where, you know, just the number of portfolio companies that have been targeted and successfully breached and the underlying downtime, the operational impact, and the distraction away from value creation has really focused and forced the PE firms to start thinking differently about the way that they're approaching this. So, what you're seeing now is that many of the PE firms are setting a minimum standards requirement that all the portfolio companies need to meet. But that's kind of on the low end of the spectrum. I would say in the last year and a half we've seen some of the PE firms actually working very closely with third parties like the Alliant team here to help them get a read on what exactly is happening across the portfolio and then setting up almost like a toolbox of services that they can offer to the portfolio company to address the gap.

The reason this makes a lot of sense is a lot of the portfolio companies, they don't have relationships with security vendors. They don't have the bandwidth and the time to go figure out what the partner is. So, in that case, being able to offer them trusted advisors and best practices around tool sets can help quickly address the gaps and allow the portfolio company to, you know, focus on their primary objectives. So, I'd say that's one of the biggest changes that I've seen.

Johnathan Gilbert (04:18):

That's great. Well, thanks Chad. It sounds like a lot for Private Equity firms solely to consider as they look across their existing portfolio and understand, you know, where they're at and then how things can improve. Mike, it does sound like this is a lot to tackle for, you know, Private Equity firms. What are the biggest challenges that, you know, firms may encounter when thinking about trying to get a grasp on cyber risk management and posture across the portfolio?

Michael Dolezal (04:45):

Great question, John. I agree. I think it's a real challenge. And when I think about that question, the two main challenges that come to mind first is a lack of resources and skill set, especially in the middle and lower middle market. You know, there's a high demand for cyber professionals. So, finding and then retaining that talent to a higher bidder or a more dynamic work environment is an extreme challenge today.

And then secondly, cyber is and has been on everyone's radar, but knowing where to start or being able to answer the question, you know, are we doing enough, is a big challenge. And what we found is the best place to start is really to identify the threats specific to the industries the firm invests in. And then breaking that down to the individual portfolio company. Once you have an understanding from ideally both a quantitative and qualitative perspective of your overall risk, you can then begin the process to mitigate that risk, whether through internal controls or transferring to insure. But we're finding having that understanding is critical. I work with many middle market firms and whenever I ask them the question, do you know what the biggest threats are to your portfolio companies? I find that many of them are unable to answer it directly. For some companies, you know, it might be ransomware for some it might be internal espionage. The critical step in cyber management across the portfolio is to understand where you're strong, where you're vulnerable, and then how to position your companies to defend against the specific threats they're facing.

Chad Neale (06:13):

I think one of the things that's really interesting in this space, and it’s really kind of forced the hand for a lot of the Private Equity firms to take a much more proactive approach around cyber security risk management is the fact that there's now pretty concrete evidence that we've got cyber criminals that are actually targeting the private market space. There's really strong evidence that there's a big spike in breach attacks after a PE firm makes any kind of announcement, as it relates to a recent acquisition or some additional cash that they're injecting at the portfolio companies. And the thought is the cyber criminals are seeing this announcement and then they're taking advantage of the fact that a lot of times there's a real weak relationship between the PE firm and the portfolio company. And they oftentimes will try to bring an attack to email compromise or business email compromise and you know, try to get the portfolio companies to wire out a certain amount of money to what they think is their new sponsors.

So just wanted to add that, that's another dynamic that I think is really starting to play out and another reason why a very proactive approach needs to be implemented here. And for this particular scenario, we actually have some of our clients that we're advising, you know, when possible to delay those kinds of announcements until they've had the opportunity to put some policies and procedures in place between the PE firm and their Port Co around cash controls so that it's less likely that if someone tries to get them to wire some money out that it's going to be a successful attack.

Johnathan Gilbert (07:58):

That's great and very insightful. It also still, you know, sounds like a lot to tackle. I mean, you know, Chad, from your perspective, you know, when Private Equity firms start thinking about cyber security and really having done it, certainly it's been on their mind, but where do they need to prioritize? How do they start, you know, getting their arms around what's there and then taking action?

Chad Neale (08:18):

So, at the end of the day, the way I look at this is PE firms, many of them don't want to own cybersecurity at the portfolio company level because they look at it as a risk that they actually take on if they are trying to, you know, own that. So, what the PE firms are trying to do is get that balance of, okay, I don't want to own the cybersecurity at my portfolio companies, right? I want management to be responsible for the implementation of those programs. But as individuals that have seats on the board of these portfolio companies, they have that fiduciary duty to exercise risk management oversight. And that applies to cybersecurity as well. So, keeping that in mind, what PE firms are really focused on doing now, and we're helping many of these firms do this, is establishing that baseline. What you would call the minimum standards that you expect the portfolio companies to be executing against? It's by no means indicating that that's all that they should be doing. But because many of these portfolio companies have very nascent security programs when they're acquired, they're setting that baseline so that they have something to at least benchmark themselves against, see how they align today, and then immediately address those gaps.

Johnathan Gilbert (09:47):

That's great. Well, thanks Chad. How can Alliant M&A help Private Equity firms kind of establish what that baseline is and then monitor it? Do we have tools and services to help our clients in that regard?

Chad Neale (10:00):

We have a program that we've designed that is tailored to help the portfolio companies demonstrate to their private equity firm how they're actually performing cybersecurity risk management. And what that involves is, you know, we help the portfolio company after the initial hundred days that they've been acquired or they've been focused on, we help to do a baseline assessment of their cybersecurity program. It's a very rapid assessment because we know management doesn't have a lot of time. We come and we do that assessment. We identify where the key five to ten gaps that they have that we will work with them over the next 12 months to address, what we'll be monitoring, how well they're progressing against those plans over the next 12 months. And on a quarterly basis, we're reporting to the sponsors how well the portfolio company is actually progressing against that plan.

And that's a key differentiator because we've seen so many of these point-time assessments that have a lot of really good information in them. They find some critical gaps, but there's nobody on the back end of that checking in with the portfolio company to see if they have made progress against those gaps. You know, do they need help from a resource standpoint? Have they been able to find partners that can work with them to address those? And so, we've built that into this process so that we're basically an extension of the portfolio companies' management team to figure out where they need help and if we can help them, we're in a great position to do that. If there are other parties that can help them, we can actually identify those different options for them to consider and ultimately measure how they're progressing against that plan and update their baseline along the way so we can demonstrate to the sponsor the improvement in the security posture over that first 12 months.

Johnathan Gilbert (11:55):

Yeah, that's great, and I think one of the great things as well is while there's a lot of work that goes into it, it's actually fair, very economical in the feedback that we've received from clients. So that's a pretty effective tool and a needed one. But Mike, I know we touched on insurance a little bit, and certainly, you know, Alliant M&A is in a very unique position to both assess the cybersecurity posture at a company prior to acquisition or after and then also design the insurance program based on everything we've learned from your and Chad's findings and your team. Why don't you talk a little bit about the landscape of insurance today and how that's changed over the last few years? Great question. There's no secret that cyber-attacks of all types have been on the rise for a long time and you know, they really spiked during the pandemic.

Michael Dolezal (12:43):

You know, we're starting to see the frequency actually dip a little from the heightened pandemic levels, but the incidents and the cost are still increasing year over year. Insurers we've seen have responded, you know, to the rapid increase in claims over the past three to four years with increases in premiums ranging anywhere from, you know, 15% to 40%. We are seeing carriers becoming much more involved, you know, during the underwriting to ensure sound network fundamentals and companies seeking cyber insurance with weak controls are seeing co-insurance and other restrictive covenants. Another trend we're seeing is for companies with subpar cyber controls and network fundamentals who have existing coverage, obtaining renewals for them is becoming incredibly challenging. And then lastly, something Chad mentioned earlier, we're also seeing some sponsors delayed deal announcements, so MFA gets implemented for example.

Johnathan Gilbert (13:34):

That's great Mike and great insight. Yeah, I think one of the advantages of Alliant M&A being integrated for both cyber security due diligence and IT due diligence and the insurance placement is that we're taking all those applications, which could be three or four applications that companies need to complete either right at or after closing off the table almost all together because we've already collected all that information and we just really try to save our deal teams five or ten minutes in the life of the deal, every step of the way.

And being an efficient group on really five core streams that we've talked about in the other series of the podcast has really resonated with our client base as a real value add. But no, that's very, very insightful. You know, probably a very difficult question to answer and try to boil down a lot, you know, into kind of two or three critical areas. But you know, what do you, Chad and Mike, feel are the two or three most critical components to an effective cyber security risk management program across the portfolio?

Chad Neale (14:36):

Yeah, I'll start and Mike, please add some of your thoughts. We alluded to it before, but I really think for this to be an effective program, there needs to be some standard that the PE firm is holding all of their portfolio companies against, holding them accountable to. The private equity firms need to take a much more active role in defining those expectations because your newly acquired portfolio company, you know, has got a lot on their plate. And if they don't believe that your cybersecurity risk management is a key element of the top five things they should be thinking of, it's not going to get there. So, I would say the first thing is to establish a program, roll that out to all the portfolio companies and then have some mechanism where you can actually monitor how well they're executing against those minimum standards. And every year you should be ratcheting up those minimum standards so that new threats are being accounted for and the portfolio companies can continue to mitigate their exposure and be able to ultimately focus on the value creation and the ultimate object of you, the PE firm, and your investment thesis.

Michael Dolezal (16:01):

Great points Chad, and just to add one critical component that I've seen, the most successful firms I've worked with in my past when it comes to cyber risk management, it's a commitment from the top to bottom, from the sponsor all the way down to the IT admin at the portfolio company, everyone sharing that same common goal, that same common vision, setting those goals and committing to them. The other piece I would add is an effective cyber program is continuous, as we all know, cyber is not "set it, and forget it", it's not a point in time. So, we're having a continuous program, you are checking in, you are looking for the threats that are going on, checking the threat landscape that's changing and how are you adjusting your program for that landscape is critical as well.

Johnathan Gilbert (16:44):

That's great and very insightful. And then so it makes a lot of sense to have the top-down approach, or it just won't get to there as a priority. Now, as you think about it from the portfolio company standpoint, we certainly have the kind of must-haves from the insurance company to have an effective underwriting of the insurance program with the right coverage at the right cost. And what I call kind of the nine deadly sins that if a company doesn't have certain things, the availability and scope of coverage is going to be limited. But if you had to summarize a few must-haves that every portfolio company must have in today's day and age, what would those be?

Michael Dolezal (17:22):

Great question, John. When I think about the must-haves, it just brings me back to thinking about, I think there's some very, very high percentage of the number of data security incidents have to do with improper or just a lack of basic blocking and tackling, which goes back to those nine deadly sins. So, when I look at the must-haves, I would look at those nine deadly sins and look at MFA and patching and employee training and legacy systems, things like that. Just making sure that you're showing up the basic blocking and tackling that should be considered or is considered good cyber hygiene. Those are really a couple of the key things I would consider as must-have.

Chad Neale (18:02):

You know, one other thing that we should also keep in mind when you're thinking about, insurance, just in general, is really taking a hard look at your cyber insurance coverage today. We find that many of the policies that are in place at the portfolio companies we're assessing are not really adequate for the type of total cost exposure the portfolio company has. So, I would say that's just another thing that you want to make sure that is taking place after you've acquired the company, is really looking at that cyber coverage and making sure that the amounts really are aligned with the kind of loss expectancy you have at that portfolio company. Are there gaps in the coverage? Because their cyber security program may have been too immature to get the kind of coverage and there's a bunch of exclusions in there. So, understanding where those exclusions are, what you need to do at the portfolio company to address the root cause of those exclusions and then renewing your insurance. So those are some things that I would recommend.

Johnathan Gilbert (19:09):

Yeah, well that and just what do you do? I mean, you know, incidents happen, you've got an insurance partner, you've got other things to worry about. What does a portfolio company do? And the first start is, you know, certainly do what you need to hold down the systems, but also contact your insurance partner, you know, at Alliant to give you the right guidance to kind of get through the process. We'll help the company navigate how to evolve the insurance company itself. Their breach response team. So, they work with their outside counsel to, you know, effectively manage the breach. And then certainly after things have come down, how do we get to a resolution on the claim and the Alliant team will be heavily involved and all that. Well, thank you all for listening. We appreciate your time. Certainly, this has been very insightful on how to approach portfolio management from a cybersecurity standpoint. There's a lot to consider, there's a lot to understand. And having a partner like Alliant M&A, we think is very critical for our private equity firm clients and a real value add for the portfolio companies. So, a lot to think about again, a lot to do and certainly navigating this new world is challenging at times. But we are here to help. If you'd like more information, please visit us at www.Alliant.com.