Cybersecurity Due Diligence for Private Equity Firms

Disclaimer: None of this is legal or financial advice.

I love my job. The cybersecurity landscape is constantly changing, and part of my role building AVANT’s security program is ensuring our partners and their customers continue to grow and evolve with this landscape.

AVANT Sales Engineers work with an incredibly diverse set of Trusted Advisors all around the world. Even more interesting, we get to help our Trusted Advisors build relationships with their strategic partners. This is one main way we push the ecosystem to a level where the whole is significantly greater than the sum of its parts. That’s how we set a vision and strategy with partners that pushes the boundaries of what’s truly possible.

Working with Private Equity Firms

As a top Technology Services Distributor (TSD) in the channel, one of the biggest ways we magnify our impact on our industry is working with private equity firms that have strategic relationships with our Trusted Advisors. This ranges from multibillion-dollar Private Equity (PE) firms with managing stakes in private companies on multiple continents, to real estate private equity (REPE) to fund-of-funds.

Best Practices for Cybersecurity Due Diligence

The conversations we have with PE firms are consistently interesting. Some firms are very hands off, post-investment. They simply invest and expect a return. Some firms, especially those that focus on distressed companies, take multiple board seats and choose to install managing directors. Some, still, will limit their due diligence to profit and loss statements. On the other end of the spectrum, firms may spend significant time and money to understand the risk of their potential investment.

Like any good consultant, if you ask an investment banker or PE firm how much it costs for meaningful due diligence, the answer is “It depends.” As long as the route to a return is legally and ethically sound, both pre-investment analysis and post-investment management styles can and should vary considerably.

That being said, we generally tend to lean towards conducting a bit more cybersecurity due diligence than most PE firms currently do in the field. Let’s walk through why we often take that stance.

Security for Loss Protection

We’ll begin with the traditional way to think about an applied cybersecurity program at a portfolio company: loss protection. Generally, loss protection is a great place to start when thinking about security. It’s still relevant in many industries, especially in public infrastructure, such as utilities, transportation, and energy. In doing so, organizations can do their best to shore themselves against data breaches, exfiltration, or the misuse of sensitive data – all of which can lead to lost time for the company, a poor user experience, or worse.

Security as the Key to Unlocking Revenue

While loss prevention and protection are key focuses for many organizations, the landscape can be compellingly different for portfolio companies with go-to-market strategies such as commercial B2B, intellectual property as revenue, or need-to-win government contracts, to name a few. In many of those cases, thinking about cybersecurity through the lens of loss protection diminishes the potential impact of the overall security investment. In these cases, security becomes the key to unlocking revenue.

Imagine you’re a Fortune 500 company looking to do business in a particular area. You have a billion dollars to spend and you’re soliciting RFPs. Ten companies look like viable options that can consistently deliver what you need. However, if you’re only confident in the security programs of half those vendors, the other half don’t even get a shot. The other half lose and don’t even get a shot at that revenue. That’s leaving cash on the table, and you can directly attribute that loss to a lack of security investment. This is the one of the major reasons why we often (but not always) recommend performing a reasonably prudent due diligence into security programs prior to signing a check.

General Guidelines to Security Due Diligence

Now, onto brass tacks. Here are some of the things we often suggest looking into as a part of that due diligence. User beware: this is not an all-encompassing list, and the circumstances may dictate moving somewhat or completely away from this. Remember, “it depends!” When evaluating security programs, consider:
1. Current and projected security spend
2. Current cyber insurance
3. Current and previous cyber insurance claims
4. Current incident response retainer and any previous funds committed to incident response
5. Customer and supplier contracts that may dictate a level of security
6. Business impact analysis of key assets and their current security posture
7. Cyber incidents that were disclosed both publicly and privately to partners and “near miss” incidents
8. Recent funds committed to restoring customer relationships, business operations, or technical infrastructure after a security event
9. Recent changes in compliance requirements, certifications, and attestations
10. Technical Due Diligence
10a. Program glide path with current and projected Cyber Defense Matrix coverage
10b. Tech stack review across corporate, IoT, manufacturing plant, and developer environments

The goal of these efforts is to understand risk from both loss prevention and revenue enablement. These types of work can help PE firms and their investors better understand and control risk, before they cut a check. Use these guidelines as you help your customers understand their unique cybersecurity needs. Plus, remember that AVANT is here as an additional resource to keep these opportunities moving efficiently! Let us know more about the deal’s details by filling out an Interactive Quick Assessment or connect with us here to experience our team’s expert guidance.

Stephen Semmelroth

Stephen Semmelroth

Senior Director of Engineering