Cybersecurity risk applies to businesses of all sizes and across all industries – it is a risk that cannot be ignored. In particular, cybersecurity risk can no longer be ignored in the deal lifecycle. Time and again, investors have seen value evaporate after an acquisition target or new portfolio company is breached by a threat actor. The fact of the matter is that the volume, complexity, and value of data that businesses process, store, and manage has risen dramatically while threat actors and their methods have become increasingly sophisticated. Today, cyber threats are harder to detect and protect against, and breaches or incidents are more harmful and costly than ever.
In my article last year, I highlighted that including Cybersecurity and Data Privacy in the due diligence process provides insights into the business under scrutiny and the potential need for investment as well as potential risk factors to be considered in the overall valuation. Recently, there have been a number of watershed moments that have highlighted the importance of cybersecurity in protecting valuation both during a deal and after the ink has dried on the purchase agreement. These watershed moments have shown that, oftentimes, this loss in value can be prevented in the due diligence process; however, it has also become increasingly clear that taking proactive cyber measures after the deal has closed is paramount to protecting value.
For private equity firms and their portfolio companies, understanding how a cybersecurity threat can impact valuation is key to understanding how to protect value in the deal lifecycle. This means assessing the security posture of potential investments before closing a deal, incorporating cyber risk into due diligence assessments, drafting effective contractual protections for investors and insurers, and taking proactive steps to understand and manage cybersecurity risk after the deal has closed. Additionally, it is important for private equity firms to consider how a cyber breach could impact their ability to exit an investment and also how it could affect potential returns. By taking into account these considerations at every stage of the deal lifecycle, private equity firms can ensure that their portfolio companies are well-positioned to protect and maximize value.
Why Focus on Cybersecurity in the Deal Lifecycle?
All businesses are susceptible to cybersecurity risk—but not all to the same degree, and therefore differ in their potential for material and financial loss. A business that cannot defend itself from threat actors is worth less than one that can with the proper defenses and controls. Many industries are subject to regulatory requirements related to cybersecurity. If a potential acquisition is not compliant with these requirements, it can result in fines, penalties, and other legal consequences. Yet beyond formal requirements, cybersecurity can be a competitive advantage—for example, an organization that is noticeably more secure can build customer or client trust much faster than its competition. Understanding all these factors and being as thorough as practically possible can put investors in a more favorable position when completing negotiations.
Many underestimate how failing to respond to a breach could result in drawn-out consequences and threaten valuation at any point during the deal lifecycle. Cybersecurity incidents that significantly reduce value can occur before, during, or after a deal, making ensuring the safety of networks and infrastructure a priority for all parties throughout the process of any investment. A profound understanding of the cybersecurity posture of the target business should undoubtedly be an essential component in deal preparation; investors and sellers should be informed on what incremental costs are necessary to keep equity value safe.
Below, we have detailed a few key case studies that demonstrate the importance of cybersecurity in the deal lifecycle.
Three Key Case Studies to Consider
#1 Verizon-Yahoo!: A Watershed Moment for Cybersecurity’s Impact in Deal-Making
An increasing number of deals have failed to go through as investors are taking a deeper look into cybersecurity. This development is largely a consequence of the widely known Yahoo! disclosure: in 2017, Yahoo disclosed a data breach which led to a decrease in the deal price by Verizon Wireless. Initially, Yahoo did not disclose any significant events, but later revealed an earlier data breach that affected over 500 million users. The aftermath of that disclosure led to a 3% decrease in stock value, amounting to a loss of $1.3 billion in market capitalization. Verizon later determined that the data breach was a material event under its agreement with Yahoo!, and the parties reduced the purchase price by $350 million dollars—or 7.25% of the original deal.[1]
#2 Elliott Management – LastPass: Why Post-Deal Close Cybersecurity Measures are Critical
In 2015, the digital password wallet company LastPass was purchased by LogMeIn (now known as GoTo) for $110 million.[2] In 2019, Francisco Partners and Evergreen Coast Capital – the private equity affiliate of Elliott Management [3] - acquired LogMeIn for $4.3 billion.[4]
Two years later, in 2021, LastPass suffered a significant data breach that exposed a great deal of personal information of the users. During the breach, backup databases containing sensitive information, including passwords and credentials, were accessed by a threat actor. Although passwords were obscured, the threat actor also obtained customer backups, encryption keys, and plaintext emails, usernames, and domains.[5] The breach was concerning due to the potential for attackers to exploit weak or reused passwords unless users changed them. With personal data compromised, the risk of successful spear phishing attacks against affected users by criminals significantly increased.[6] While much information remains publicly unavailable, this undoubtedly negatively affected the valuation of the company, notably impacting the profitability of the investment.
#3 SilverLake/Thoma Bravo-SolarWinds: The Unforeseen Regulatory Costs of a Cyber Breach
SolarWinds is a business software developer that produces programs for IT infrastructure management. In 2016, SolarWinds was acquired by private equity firms Silver Lake and Thoma Bravo in a deal worth approximately $4.5 billion.[7] However, in December 2020, SolarWinds became the subject of a major cybersecurity breach that affected numerous organizations and government agencies.
The threat actors, suspected to be a state-sponsored hacking group, were able to access the internal systems of SolarWinds, a leading IT management software company. The threat actors then managed to inject malicious code into the company’s IT performance monitoring system, a product called Orion. Through Orion, the malware was distributed to SolarWinds customers, giving the hackers access to a range of sensitive data. The breach affected many government agencies, major corporations, and other organizations around the world. [8] The full extent of the damage is still being assessed.
Following the compromise, SolarWinds shareholders brought a class action lawsuit against Silver Lake, Thoma Bravo, and several of the company’s top executives.[9] The complaint stated that the cybersecurity weaknesses and inadequate investments that led to the Orion hack were the results of the business strategies employed by private equity firms, which aimed to prioritize short-term profit rather than long-term growth.[10] The company later announced in an 8-K filing that it had settled the shareholder suit for roughly $26 million but noted that the U.S. Securities and Exchange Commission had recommended enforcement action against it for its public statements on cybersecurity and procedures governing cybersecurity disclosures.[11]
How Does Cybersecurity Protect Value in the Deal Lifecycle?
It is critical to recognize that not all controls are expense items on the ledger when monitoring and assessing a company's cybersecurity. There are many ways that cybersecurity can actually generate business value. A few such examples are [12]:
- Protection Against Threats to Valuation and Reputation: the goal of cybersecurity is to defend against cyber threats—if this is accomplished effectively, there is, among others, a positive monetary, reputational, and legal impact on the business. The average cost of a data breach, as reported by IBM in 2022, was over $4M [13]—and is expected to continue to increase. Avoidance and/or reduction of an impact of a breach can have significant implications for the business.
- Business Resiliency: the ability of an organization to recover from an incident—whether it be an attack from a nation-state actor or a natural disaster—is paramount to the business. The speed and ease of recovery can directly affect how the business is viewed, and the financial impact on the organization sustains as a consequence.
- Customer Trust: everyone that an organization deals with is concerned with the privacy and security of their data. A company that is known to be more secure and trustworthy will be more attractive to a customer or partner than one that is not. Such trust affords an organization more opportunities to be successful.
In addition, it is worth mentioning that many organizations view the risk transference of cyber insurance as a safeguard against cyber threats, but in actuality, it is far from being an adequate substitute. If it is found that an organization lacked the infrastructure and controls to adequately defend itself, many policies will be rendered null and void.
Cybersecurity Best Practices for Private Equity in the Deal Lifecycle
- Conducting Thorough Cybersecurity Due Diligence to evaluate the cybersecurity risks associated with the target company and its assets and understanding the effectiveness of its cybersecurity measures. Due diligence should cover a range of topics, including the target company's IT infrastructure, network architecture, data protection measures, and incident response planning. The goal of this process is to identify potential cybersecurity risks and vulnerabilities that could impact the value of the acquisition or the future performance of the company.[14] In addition, the assessment should provide an initial understanding of a target’s cybersecurity program that can be used to define a roadmap where cybersecurity can truly become a component that adds value versus another risk exposure once the deal is closed.
- Creating a Post-Acquisition Cybersecurity Plan designed to identify and remediate any cybersecurity risks or vulnerabilities that were identified during the due diligence process, as well as any additional risks that may have been uncovered after the acquisition. The plan should include policies and procedures for data protection, network security, incident response, and ongoing risk management. This is essential for protecting and growing company value.
- Drafting Cybersecurity Protections in the Contract including protective measures such as indemnities, representations and warranties, and post-closing covenants related to cybersecurity, as well as assigning specific responsibilities for data protection among the parties, can be critical to protecting the value of the deal. These provisions should be tailored to the particular transaction and should cover various aspects of cybersecurity, such as data leakage and privacy compliance.
- Conducting Regular Risk Assessments should be a key part of any post-acquisition cybersecurity plan and should include performing risk assessments on a periodic basis. This allows for better prioritizing of initiatives and cybersecurity spending based on the latest intelligence. This also ensures that new threats are captured as an organization change and evolves, allowing business strategies and decisions to react accordingly.
Conclusion
While it is not necessary to be a cybersecurity expert yourself, it is important to utilize experienced and trusted cybersecurity partners who can support the deal lifecycle. Cybersecurity can have a material impact on valuation, and understanding the risk at a more granular level than before is paramount to ensuring your investment is correctly valued, and ultimately, as secure as it can be.
References:
[1] United States: Buyer Beware Cyber Diligence in M&A. Baker McKenzie, 2022.
[2] LastPass Revenue and Growth Statistics (2023). SignHouse, 2023.
[3] Francisco Partners and Evergreen Coast Capital Complete Acquisition of LogMeIn. GlobeNewswire, 2020.
[4] LastPass. CB Insights, 2019.
[5] Our response to a recent security incident; GoTo, 2023.
[6] LastPass owner GoTo says hackers stole customers’ backups; TechCrunch, 2023.
[7] Thoma Bravo and Silver Lake Complete Acquisition of SolarWinds, Thoma Bravo, 2016.
[8] SolarWinds hack explained: Everything you need to know. WhatIs.com, 2022.
[9] Thoma Bravo, Silver Lake sold stake in SolarWinds before hack warning – FT. S&P Global, 2020.
[10] SolarWinds lawsuit claims private equity owners ‘sacrificed cybersecurity to boost short-term profits’. SC Media, 2021.
[11] U.S. SEC considering action against SolarWinds over cyber disclosures, Reuters, 2022.
[12] How does cybersecurity add business value? Anapaya, 2022.
[13] Cost of a data breach 2022. IBM, 2022.
[14] Cutting Edge: Tech M&A Is Powering Deal Markets, p.31; Morrison Foerster, 2022.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.