“But security requires understanding the type and volume of data stored by the organization, the regulatory and legal landscape, and the potential threats to the organization,” he said.
Sean Curran, a director of West Monroe Partners’ security and infrastructure consulting practice, agreed, noting that part of the problem is that for many companies, evaluating cyber risk is, “still a strange enough topic that some of them are asking how to find the right person to do it.”
Sean Curran, director, West Monroe Partners’ security and infrastructure consulting practice.
He said the purpose of due diligence in cyber risk is not to know whether a company can be hacked. Indeed, the mantra in the security industry these days is that there are two kinds of companies: Those that know they have been hacked, and those who have been hacked but don’t know it.
“The key is to know what you’re buying – what’s the ‘secret sauce’ that makes a company unique,” he said. “Is it financial, reputational, legal, and what is the value of that? And what might a breach cost?”
According to Michael Del Giudice, senior manager at Crowe Horwath, it is well worth investigating whether a target company has been breached and remains unaware of it. He cited a Ponemon Institute study that found it took retail companies an average of 197 days – more than six months – to detect a breach.
Michael Del Giudice, senior manager at Crowe Horwath
“If a potential acquirer relies on a questionnaire, it’s possible the target may not be aware of a breach that could significantly impact valuation of the firm,” he said.
That is also the message from Ron Arden, vice president and CMO at Fasoo. “An acquirer needs to understand the assets and liabilities it is acquiring, and look at lack of adequate security as a business risk, just as leases, debt and potential litigation are liabilities,” he said.
That level of scrutiny is “very well established” at larger private equity firms like Blackstone, the Carlyle Group and TPG, with assets under management (AUM) in the $75 billion to $200 billion range, according to Eric Feldman, CIO of The Riverside Company.
“But there’s a huge gamut of sophistication among firms,” he said, “which means that for many smaller firms, the cyber side can be a weak point.”
Ron Arden, vice president and CMO, Fasoo
However, that is improving even at smaller firms, he said, due to pressure from both the public and private sectors.
On the public side, the federal Securities and Exchange Commission (SEC) has regulatory authority over U.S.-based private equity firms with more than $150 million of AUM. “That covers most of them,” he said.
Sign up for CIO Asia eNewsletters.