M&A Roundtable: Why Cyber and IT Due Diligence Is Critical For Private Equity Firms

Intro (00:00):
You're listening to the Alliant M&A round table, providing insights and expertise on the unique risk management needs of private equity firms.

Johnathan Gilbert (00:12):
Thank you all. And welcome to another podcast from Alliant M&A, I'm John Gilbert, I co-lead the M&A practice for Alliant. Very excited to have Chad Neil with us today. Chad leads our cyber M&A services, which include cyber due diligence, IT due diligence and post-acquisition and advisory work. Chad brings a wealth of knowledge and expertise from the cybersecurity and information technology industry and has been serving private equity firms and their portfolio companies for a number of years. Today, we're going to talk a little bit about cyber due diligence, IT due diligence, and then some services that are done post-acquisition and what it's all about, why we should do it. Chad, with that, you know, thank you for joining. Appreciate you coming on again. Why don't you say a few words about yourself and your background and what we're going to be doing here at Alliant from a cyber information technology standpoint?

Chad Neale (01:00):
Thank you, Jonathan, and I'm really excited about the opportunity to join the Alliant M and a team and bring this background that I've developed over the last 30 years around cyber security and more broadly risk management to our clients. I've spent 30 years really developing a risk management approach to helping companies solve their cybersecurity and privacy challenges. Over the last five years, I've really focused this discipline on transaction advisory and helping private equity firms throughout their entire investment life cycle manage this risk.

Johnathan Gilbert (01:38):
Well, thanks, Chad, and welcome aboard again, and excited to launch this additional service for our clients, you know, from a cyber and IT diligence standpoint, what are the key things that go into diligence prior to an acquisition? You know, what are the core components that really go into, your review, which is oftentimes a very condensed timeframe?

Chad Neale (01:58):
That's a great question, Jonathan. You know, when you think about these assessments, we don't have the luxury of a typical risk assessment to spend three months to assess an organization, you know, interview multiple people across the organization and put together a report on, you know, where the key risks are and develop a roadmap. We're typically getting the phone call for support when the organization is down to 45 days to close. So, what that means is we really need to assemble the team, get started within a couple of days, arrange the management meetings, and put together a meaningful, impactful report within three weeks. And what we're focused on, that's a little different than a typical risk assessment is understanding what the investor needs to understand about that organization as it relates to their investment thesis and broader risk that may or may not materialize after the acquisition. So, we're looking at really three core domains that have many sub-domains from a very high level. We look at IT, we look at information security and privacy, and within privacy, we're looking broadly across compliance.

Johnathan Gilbert (03:10):
You know, that's really interesting. It's certainly hard to imagine buyers not completing cybersecurity diligence and IT diligence in today's age, regardless of the type of company or size. It's just everyone's dependent on technology in some way. And it seems like an invaluable service certainly, and it's not just the knowledge from a cyber security or IT standpoint. You also have to know how to move on deal timing, and you how to really approach it with a SWAT team approach where you're coming in and coming out as fast as you can so that we let the deal guys do the deal which is always important. And it's a skill set that's learned, you know, not overnight and important to have both experiences, which is great.

Chad Neale (03:46):
No, it's, it's interesting because it's really changed over the last five years. You know, I would reach out to PE firms and many, many PE firms are very interested in learning about the subject of cyber security, but very few were doing anything very formally around cyber security assessments. In fact, five years ago was interesting even IT was a relatively new area of focus where they were bringing specialists in to understand the IT infrastructure, the business applications and putting together a thoughtful report from a due diligence standpoint. So, when I was bringing up the topic of cybersecurity, again, they're very interested, but very few were doing anything and that's just completely flipped on its head in the last two and half years. We've seen it be much more the norm regardless of the investment, right? If you're investing in a manufacturing company or if you're investing in a technology company, there are risks in this area, both from an IT and a cyber perspective that you want to understand going into this transaction. So that if there's anything really important to address, you can get that worked into the hundred-day plan, or at least you can have it in the longer, you know, six-month, twelve-month plan and address that and, mitigate any exposures.

Johnathan Gilbert (04:58):
That's great. And, you know, Alliant M&A is certainly a leader in Rep & Warranty insurance. And if we look back at the hundreds of deals in the last year that we worked on and what diligence streams were engaged, you know, we see all the reports and share those with the underwriters. I would say now it's more than 50% of the time that we see cyber security and IT diligence done, or to your point a few years ago, I don't remember either one. It's certainly seen a growing uptick and I think we'll see that number climb to 80 to 90, to 100% in the near future. But are there external forces that are also pushing private equity to sort of focus on cybersecurity in IT infrastructure, whether it's regulatory or LPs or otherwise, Chad?

Chad Neale (05:40):
Absolutely. So, I think from an LP perspective, you know, now on the annual questionnaires that LPs are sending to PE firms, you're seeing many more. In fact, I think it's now pretty much across the board. They're asking about cyber security as it relates to their investment strategy. Few years back, you started to see LPs asking questions about cyber security, but PE firms were typically answering that as it relates to their cyber security program, and what the PE firm was doing to protect investor information. But now there's been a huge turn to really focus on what are you also doing during the due diligence process to understand that you're making good investment decisions and managing this risk from the outset.

Johnathan Gilbert (06:29):
Yeah, that's great. That's very helpful. And you know, we hope it doesn't go to the level of requirements that exist for publicly traded companies, but certainly not surprising that LPs are pushing for some additional work in this area.

Chad Neale (06:42):
So, the SCC has been very active in this, in fact, in the last four years, when you look at the list of priorities, the SCC is listed at the beginning of every year, cyber security continues to be a critical area. They now have got some proposed rules that are really strengthening the requirements for registered investors. And many are interpreting some of the requirements around risk management to extend down to a PE firm's investments.

Johnathan Gilbert (07:13):
I don't know that I'm advocating for the SCC to have more regulation of private equity firms, but we're here to help. If it does come to our clients, it'll help them get through it.

Chad Neale (07:22):
It might be worth mentioning that the strategy that we're going to take at Alliant right, is to build services around due diligence to help organizations, our clients and new clients look at these investments and understand, you know, what their invest looks like from an IT and cyber and privacy perspective.

Johnathan Gilbert (07:41):
Yeah, certainly at Alliant M&A, we certainly look at ourselves as the advisor from letter of intent to investment exit and preparing for exit is certainly almost as important sometimes as the initial diligence on the front end, shifting gears a little bit, you know, as we look at targets, every day its healthcare, it's industrial, its construction, it's certainly SaaS-based companies, and otherwise. Is there a company today, that's not a technology company meeting, they're not dependent in some way on technology, is anyone exempt from potential threats these days, Chad?

Chad Neale (08:14):
Absolutely. The playing field has shifted quite a bit. When I first got into cybersecurity, you know, 10, 15 years ago, you would see people and you'd meet with people in manufacturing or someone that didn't believe that they possessed any publicly identifiable information, and they, weren't very interested in hearing about cybersecurity measures that they should be taking. But with the advent of ransomware, that's completely changed the game. So, getting out in front of this understanding, as it relates to ransomware, and what kind of backups does an organization have in order to recover from that threat, so they don't necessarily have to pay the ransom. And then also are those backups offline because those ransomware attacks will go after backups that are on-prem or there's connectivity to those backups. And ultimately how well have they tested their backup recovery strategy?

Johnathan Gilbert (09:09):
Yeah, and having seen a number of cyber claims with our clients, every time, the cyber event lasted longer than they expected, and it certainly costs more money than they expected. Well, you know, shifting gears a little bit, you know, we work with a number of technologies-focused, private equity firms, ranging in size, deal sizes, from 30 million up to a couple billion or more from a technology industry standpoint, particularly SaaS-based targets. And a lot of times we'll see cyber security and IT diligence done in-house. Do you see a change coming there? It almost feels as if LPs may, require some independent review similar to what you see under SOX compliance for publicly traded companies. Any thoughts there, Chad?

Chad Neale (09:58):
Yeah, definitely saw that pivot as well. It really depends on the size of the PE firm. As you go up in size and move from the middle market investors to the upper middle, to the large PE firms, you see more investment in bringing in operating partners and investment professionals that have strong IT backgrounds. They're critical in helping the diligence process get uplifted in a way that is going to help them make good investment strategy decisions. But the challenge that they have, and we often work with those firms, is that a single person doesn't scale very well for the amount of deal volume that's taking place. So, I think that change hasn't meant that they're taking it all in-house, right? Just because of the amount of deal volume that they have now, if the volume's a little bit slower, yeah, absolutely, they're, they're doing more of that work themselves. But in the last couple of years, we've seen more cases where those people are primary contacts and they're asking us to come in and really lean in a particular area of it, or just do the cyber and the privacy component and really kind of divvying up the work that way.

Johnathan Gilbert (11:10):
That's very insightful. One other trend that we've seen in the market is just the buy-in build strategy where there's an initial platform investment by a good-sized company. And then we'll see a number of tuck-ins addon, you know, subsequent to that initial platform investment. How important is it to get the right baseline from a protocol infrastructure standpoint? You know, whether it's IT systems and people, to cyber security.

Chad Neale (11:35):
Yes. That's a great question. And we're seeing the same thing. And I think with the economic climate, you might see more of those types of investments happening. It's really all about the PE firm building value through these acquisitions. I would argue that you're going to be able to tap into the greatest amount of potential value by ensuring that the platform has the right IT stack and that it's scalable and that the add-ons will be able to integrate pretty readily through the use of strong technology platforms, well-known ERP systems that have the ability to scale and really support the overall investment strategy. We found that some of these organizations that had grown really fast, had underinvested in technology. So they were, maybe on a very small ERP platform that didn't scale, they had a lot of customization, So integration was going to be a real challenge.

Johnathan Gilbert (12:34):
For sure. No, that's very helpful. So, as we look about designing insurance programs for a client. We're looking to put together the most robust cyber insurance program with market-leading endorsements and terms, and the highest limits as the company wants to buy. How beneficial is it to have the expertise from a cyber standpoint and the diligence team also intertwined with the person who's going to be designing and placing that cyber insurance policy?

Chad Neale (13:02):
That's a really good question, and I think it's become more critical than ever before, just because of the challenge the insurance industry has faced over the last couple of years and some of the significant losses they've experienced. I think, from my experience, this is a really critical step in the due diligence process. You know, being able to marry experts that understand from an investor standpoint, what type of cybersecurity risks are going to potentially give them the most exposure. Understanding what the organization has done to mitigate those risks and then working with the team, that's going to help place the insurance understand what the landscape looks like, where the gaps and the potential remediation strategy that the firm is committed to implementing can really help with that whole process and in getting to the underwriting.

Johnathan Gilbert (13:58):
Well, thanks everyone for joining again, we're very excited to kick off the first of what will be many cyber-IT-related podcasts. The Alliant M&A is truly that advisor from letter of intent to investment exit, and our job doesn't stop when the deal is done. We're there with our clients to the exit and want to be a value-added service. For additional information, please visit www.Alliant.Com, and we look forward to speaking to you again in the future.