INSIGHTS AND RESOURCES

Private equity firms may inherit data attacks from acquisitions

INSIGHT ARTICLE  | 

Authored by RSM US LLP


Originally published March 2014

Many businesses in a variety of industries, including private equity firms and their portfolio companies, can experience data security breaches. Violations often involve the loss of customers’ personal and credit information, and many times, go far beyond the potential loss of financial information or regulatory penalties. The bad press from a security breach could equate to the loss of thousands, if not millions, of customers. In addition, the greater hit is often in the form of reputation and goodwill erosion, and the possibility of liability suits.

As a private equity firm acquiring a new business, could you be held responsible for existing ineffective security strategies, resulting in breaches within the acquired company? Further still, post-deal close, could you encounter challenges related to compromised intellectual property of the acquiring business and resulting aftermath? In a word, yes. You could inherit many of the problems from presale attacks, and be paying for these security issues for years, in the way of fines, costly litigation or plummeting revenues.

Intellectual property concerns

A major concern for private equity firms and their portfolio companies is compromised intellectual property. What happens if you own or acquire a company, not knowing its key intellectual property has been compromised? For example, let’s say you buy a company that had the market cornered on one specific area, a unique niche in the market, and that unique niche was what made it a desirable business purchase. After the sale, you find that the very unique niche that made the company so ideal was actually compromised, due to a security breach or stolen intellectual secrets. Patents, copyright, trademarks and industrial design rights provide protection around the elements of intellectual property, yet ideas can be breached and designs stolen.

Knowing of the intellectual property breach prior to the deal closing, how would this have affected the acquisition? You may have walked away from the deal or bought the company for a lower price. A company can lose its value and competitive edge if their key intellectual property is compromised. Losses for a deal misstep like this can result in millions of dollars, and business recovery may never occur. Proper due diligence prior to the deal close is essential to uncover intellectual property impropriety or breach.

The best defense

To get started on applying protective security strategies, a simple assessment of the current state can help an organization understand their security posture, and identify gaps in their security program. Private equity firms can use this same approach in their potential acquisitions, as well. Studies show good protection can save a company up to $1 million per year, or with higher-end protection, as much as $2 million.

A business-wide and sweeping assessment can help reveal appropriate security standards, including: ISO 27001, the payment card industry (PCI), Sarbanes-Oxley Act of 2002 (SOX), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA) and more. In addition, it can uncover, to an organization or an acquiring firm, all of the ways the company may be breached. For instance, most data breaches do not happen through front-facing websites, but rather through side channels, like a branch wireless system or retail site networks. Organizations should ensure that all access to their networks and systems are managed, including third-party access.

In addition, a comprehensive assessment can identify if the acquisition target will need major funding to get itself security compliant. Frequently, when a company is trying to get acquired, they will cut all possible spending in order to make their financials more desirable to a buyer. This often includes funding cuts related to information technology (IT) security and maintenance, the very preventive needed for strong security planning. A private equity firm looking to acquire this company often doesn’t realize this financial cut until post sale. Unfortunately for the acquiring private equity, in these cases, it may take several years to upgrade the acquired company’s technology and assure proper security strategies and tactics are in place.

Questions to consider

Another best defense is pondering critical questions prior to an acquisition. Answers to these questions may make all the difference in deal negotiations.

  • What is it about the target that makes it of value to you?
  • Is it something that can be stolen or copied? Broken?
  • How would you know if it has been compromised before you buy that target?
  • How would you know if it has been compromised since you bought it?
  • How are you monitoring this risk?
    • Are your targets or portfolio companies doing this on their own?
    • What evidence or metrics are provided to you?
    • Do you have some centralized process for continuous monitoring?
  • Is the target in an industry facing potential new regulatory oversight?
  • What if the target is not facing new regulations, but its primary partners or customers are?
    • For example, many retailers and financial clients are now forced to do extensive risk assessments on their vendors and business partners.
  • Are you prepared to deal with the cost?

Once a private equity firm or business has an understanding of their current security posture and threats, they can target their information security spend on the largest risk areas to quickly reduce the potential for a security breach. By improving the weakest links in an organization’s information security posture, it can quickly become a less-attractive target for an attacker, and a much more attractive business for a buyer.

Let's Talk!

Call us at +1 213.873.1700, email us at solutions@vasquezcpa.com or fill out the form below and we'll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

This article was written by Daimon Geopfert and originally appeared on 2021-07-13.
2021 RSM US LLP. All rights reserved.
https://rsmus.com/what-we-do/industries/private-equity/featured-topics/private-equity-portfolio-optimization/private-equity-firms-may-inherit-data-attacks-from-acquisitions.html

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

​Vasquez & Company LLP is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.

For more information on how ​Vasquez & Company LLP can assist you, please call +1 213.873.1700.

Subscribe to receive important updates from our Insights and Resources.

  • Should be Empty: