Ransomware Targets Private Equity

I’ve received two press releases this week from a private equity client regarding recent acquisitions on which we provided technology due diligence. The releases reminded me of recent conversations we’ve had with that firm and a few others surrounding PR on new deals.  My friend Doug, who’s spent many years in PE on the operations side of things, emailed me late last week and said “Client in Detroit just got hacked right after they bought a company. This is 2nd time and they decided to stop doing deal PR until they get their defenses hardened. They say they have a firm but they keep getting hacked. WTF!”  Everybody has heard the saying “there’s no such thing as bad PR”, but when it comes to private equity and acquisitions, it’s all about proper timing.

Targeting Deal Announcements

Based on feedback we’re getting from our partners, ransomware actors are targeting private equity firms and their newly acquired portfolio companies for two reasons; the fact that newly acquired companies are often sorely lacking in terms of cyber security measures, and the belief that private equity firms have money to burn when it comes to paying large ransoms.  To that end, an increasing number of our clients have decided to delay deal announcements until proper cyber security measures have been enacted within their newly acquired companies.

A recent technology diligence audit we provided regarding a chemical/pharma R&D firm uncovered the following list of concerns, and is a perfect example of why hackers are targeting these deals;

    • Lab computers are not connected to the corporate network and are fully unmanaged as a result
    • One Windows 10 device is used for running Sage software for accounting
    • No available asset reports which would include make+model+age of equipment
    • Network security is provided by the ISP modem alone
    • Wireless is provided by the ISP modem
    • Endpoint security on Macintosh devices is not in use
    • There is no remote access into the office, no use of VPNs
    • There is no endpoint monitoring or management
    • There is no system/patch management
    • There is no multifactor authentication (MFA)
    • There is no evidence that laptops are encrypted
    • Email is provided by a proprietary email solution, Hosted/Managed by (individual)
    • There is no user access control
    • There is no formal user management control

Our consultant’s analysis included the following note;

“We find that the existing technology platform will require a thorough upgrade to bring it into alignment with generally accepted IT security best practices. The lack of security controls may be a significant red flag for any insurance carrier and will likely limit the ability to acquire quality cyber liability and potentially, E&O coverage.” Note that the existing system is nowhere close to generally accepted best practices. If that’s not a concern, I don’t know what is.

The Importance of Technology Due Diligence

While the WSJ notes that “If one portfolio company has weak security, attackers might systematically move through a firm’s entire roster…“, the piece also suggests that cybersecurity has become ‘far more routine’ as part of diligence.  Our experience shows us that while cyber reviews may well be more routine, technology diligence in general is still oftentimes an afterthought.  And we see plenty of instances (see the example above) in which lower middle market companies have failed to spend properly to keep their systems up to date or their networks and data secure.

So, how to protect your business and your investment?  Hire an expert to provide technology due diligence with every acquisition, make sure that all portfolio companies have proper security solutions in place (Ashton applies NIST 800-171 standards in conjunction with numerous hardware and software measures), and hold off on the deal announcement until you’ve implemented those solutions.  An extra week or two could save you a lot of money and agony.

If you’re looking for technology DD on your next acquisition, technology implementation or platform integration post-close, or long-term technology management of your portfolio companies, contact Ashton Solutions at 216 397-4080.