Cyber due diligence best practices for private equity firms


Authored by Liberty Mutual Global Private Equity Practice Leader Amy Gross

I am diving into the world of cyber and private equity (PE) over a three-part series that will explore:

  • Part I: Cyber due diligence best practices
  • Part II: How PE boards can amp up their cyber expertise
  • Part III: Playbook for when a cyber incident occurs

First up, cyber due diligence.

Cyber is a complex and constantly evolving challenge for any company but couple cyber risk with private equity activity and the risks can be compounded exponentially. In many cases, private equity firms are challenged by the aggregate risk across their portfolio companies and, if cyber risks are not managed appropriately, there could be extensive exposure and ultimately potential financial loss for investors.

Top four risks to explore during the due diligence process

When it comes to cyber due diligence, there are four areas private equity companies should keep a close eye on:   

  • Risk profile and systems – what is the cyber risk profile of the company? Are IT systems modern and up to date? Does the company have a clear understanding of all of the IT systems within their scope, including systems that are managed by third parties? Are those systems appropriate for the market that’s being pursued? Are there processes and procedures in place to help protect the systems?
  • Human capital – have people been trained on cyber risk? What are the governance processes in place around cyber training?
  • Cyber risk management and organizational structure – does the company have cyber risk management procedures? How is the company thinking about cyber from a general risk and controls perspective?
  • External risks and threats – have third-party risk assessments and penetration testing been conducted? Have any potential incidents or exposures, such as past breaches or data on the dark web, been identified? Is the company regulatory compliant?

Controls and coverage: the mainstays of PE cyber due diligence 

Once firms have identified their cyber pain points, they can then begin to focus on building up cyber programs that can help protect against those risks. These programs should be grounded on two pillars: controls and coverage.

There are foundational cybersecurity controls that most companies should have in place, including:

  • Security policies and procedures: ensuring the organization has documented security policies and procedures and ensuring that they are up-to-date and comprehensive.
  • Network security: protecting the network where there is access to high value assets, such as customer data or intel on business operations.
  • Identity and access management and insider threat management: managing who can have access to what data at what point in time, making sure the right people have access to the right information to execute business processes; helping to protect against malicious internal actors.
  • Incident response: ability to identify an incident or potential incident and rapidly respond to that incident.
  • Third-party vendor management: understanding what third-party vendors the organization uses, including knowing if the vendors’ security practices have been reviewed; ensuring they are contractually obligated to adhere to the same security standards the organization adheres to.
  • Employee training and awareness: ensuring employees know what a phishing or social engineering attack is, what information they should or should not be providing to parties, how roles and rank from entry level to board members can be responsible for cyber.

Ultimately, the cybersecurity controls a private equity firm has in place can dictate coverage, or the insurance piece of a cybersecurity program, whether coverage is purchased or self-insured. Working with a broker, a firm can identify their risk exposures, what limits are needed and help them understand the cyber policy details so they can be aware of what might lie outside of the scope of the policy.

Add-ons can further muddle the cyber puzzle 

Add-ons present a unique challenge when it comes to managing cyber risk as cyber is usually not a top three item when it comes to due diligence –– and thus can fall by the wayside. It’s not uncommon for a PE firm with a national growth strategy to acquire a regional add-on company that has no-to-limited cyber controls. And, more often than not, firms are preoccupied with ways to collectively go to market on aspects like the balance sheet, not IT systems, during these types of transactions.

Take this typical approach and situation as a whole and the deal could be ripe for a cyber incident. The key to minimizing cyber risk with add-ons is speedily folding the add-on into the platform company’s systems and controls. It’s also particularly important for firms to not become overly reliant on or neglectful of legacy systems left in place under TSAs, but rather decommission those old IT systems in a timely way.

Cybersecurity and cyber risk are not new. Yet, the need to continue the conversation is still urgent. The risk is evolving rapidly and how private equity firms approach the risk and execute due diligence can have a direct impact on long-term portfolio growth, stability, and reputation.

Liberty Mutual’s dedicated underwriters, close partnerships with our clients and brokers, and expert mitigation and claim resources help us deliver cyber liability solutions appropriate to the individual needs of companies across geographies and industries. And learn more about how we help private equity firms manage their unique risk needs here.



About Liberty

Liberty Specialty Markets offers specialty and commercial insurance and reinsurance products across key UK, European, Middle East, US and other international locations.

We provide brokers and insureds with a broad range of products through both the Company and Lloyd’s markets and have over 1,700 staff in approximately 65 offices. Liberty Specialty Markets was established in September 2013 bringing together Liberty’s company, syndicate and reinsurance operations into one combined operation, composed of three business units: Commercial, Specialty, and Reinsurance (Liberty Mutual Re). This integrated approach means brokers and clients can benefit from our global reach and operating efficiencies.

Liberty Specialty Markets is part of global insurer, Liberty Mutual Insurance Group, a diversified global insurer, formed in 1912 and headquartered in Boston, Massachusetts. Liberty Mutual is the 5th largest global insurer based on 2017 gross written premium, with over 50,000 employees in 30 countries and economies around the world. Our purpose is to help people embrace today and confidently pursue tomorrow. The promise we make to our customers throughout the world is to provide protection for the unexpected, delivered with care.  We achieve this by offering a full range of personal, commercial, and specialty Property & Casualty insurance coverages. Our customers’ trust has earned us the 68th spot on the Fortune 100 list of largest corporations in the U.S., based on 2017 revenue.

Latest video

Liberty Specialty Markets video: Climate resilient construction

Patrick Bravery, Global Head of Civil Construction, speaks with Josh Graham, CEO & Founder of EHAB, about the growing threat from severe weather events, driven by... click here for more