Debevoise & Plimpton on Cybersecurity: Reducing Threats to Private Equity Firms and Their Portfolio Companies
By: Jeffrey P. Cunard and James Pastore
Like other businesses today, private equity firms and their portfolio companies increasingly face serious data security threats – for example, from individual hackers, from organized criminal enterprises and even from their own employees or vendors. We all know from recent press reports that a data security breach can seriously harm the reputation and reduce the value of the affected business. Unremitting efforts by senior management and boards to combat these threats should be seen in 2015 not only as good business but also – with regulators, courts and the plaintiffs’ bar increasingly bearing down on perceived lapses in data protection – as a legal necessity.
In this article we outline some of the steps that private equity firms can take to combat cyber threats. One size does not fit all, of course. Cybersecurity protections must be tailored to the size of a private equity firm (including the funds it manages); the nature of its portfolio companies’ businesses; and the types and volume of data it and they maintain. Still, private equity firms of all types and sizes can look to a common set of basic measures to manage their cyber risks, both business and legal.
At the Firm (and Fund) Level
KYA2. We call the basic cybersecurity starting point “KYA2”: “Know Your Assets” and “Know Your Architecture.” Identifying what you have (assets) and where you keep those assets (architecture) are fundamental when it comes to cybersecurity.
Under the heading of “Know Your Assets,” the task is to catalog what sort of data the firm collects from all its various constituents and counterparties, from limited partners (LPs) to employees to vendors to acquisition targets to portfolio companies. At the firm level, those assets can include sensitive personal and financial information of founders and other employees; data concerning LPs, such as data gathered to satisfy KYC/AML requirements; material non-public information about portfolio companies that is held by the firm, including those companies’ business plans and financial data; and confidential information about the firm’s own strategy, potential fund investments and portfolio company exit plans.
Under the heading of “Know Your Architecture,” the task is to document where exactly the firm stores this sensitive information (e.g., internally, off-site, with a third-party cloud provider, using an application services provider); what measures are taken to protect the data (e.g., encryption of particularly sensitive information); whether the network is “segmented” so that an intruder who gets in the front door does not have the run of the whole house; whether especially sensitive data is segregated in a particular storage location as opposed to (for instance) being combined for convenience with other data on a computer server that has unused storage space; who has access to different types of data and by what means; and whether stale files are periodically purged. This last point is simple but all-important: Criminals can’t hack – and you can’t lose – what you don’t have.
Plan, Prepare, Test, Repeat. Once you know what assets you possess, and where they are maintained, you can develop a plan (working with cyberforensics consultants and experienced counsel can help) to protect those assets by implementing appropriate controls and by testing those controls to ensure they are working as expected. Well-recognized benchmarking standards, such as the Cybersecurity Framework promulgated by the National Institute of Standards and Technology (“NIST”), the SANS-20 Critical Security Controls or ISO 27001, can help guide that process. Once controls are in place, third-party verification techniques such as penetration testing (a/k/a “hire-a-hacker”) can identify security holes, assist in remediation and mitigate risk to bring the firm into line with evolving best practices.
Protect Against Human Error. Even the most secure network can be brought down if employees at all levels aren’t sensitized to risks such as “phishing” – that is, well-crafted emails designed to trick recipients into clicking on links, or opening attachments, that result in in the installation of malware. Other potential vulnerabilities are less high-tech: the misplaced laptop or thumb drive that contains unencrypted, sensitive data, or the errant email that sends sensitive information to the wrong recipient. By ensuring that employees understand cybersecurity best practices, you can substantially reduce potential data loss – and avoid the disclosure obligations and other legal burdens that can flow from even an inadvertent, good-faith breach.
Consider Your Vendors. Some highly publicized breaches have involved a hacker accessing a company’s systems through an outside vendor. Just as the plumber you let into your office potentially can breach your physical security, so, too, can any vendor that has access to your computer systems, or stores information on your behalf, compromise your cybersecurity. That means being vigilant both about engaging vendors and managing them day to day.
As part of the diligence you undertake when engaging a vendor that has access to your information, consider reviewing the vendor’s own security history and practices, including audits and descriptions of security protocols, and asking how the vendor’s cybersecurity protocols compare to benchmarks like NIST, SANS or ISO. Questionnaires can be a starting point for the discussions with vendors. At the contracting stage, consider obtaining an express written commitment to maintain your information securely and to maintain baseline security practices; representations and warranties that bind the vendor to benchmarks like NIST, SANS or ISO; indemnification; and a mandate that the vendor carry cyber risk insurance at specified levels. Day to day, consider reviewing the policies and procedures you have in place for issuing credentials (i.e., usernames and passwords) to third parties and your protocols for ongoing monitoring of vendor access to information and security practices. A February 2015 SEC report on cybersecurity at broker-dealers and investment advisers noted that just 24% of these firms imposed requirements relating to cybersecurity risk via their contracts with such parties.
Due Diligence Prospective Portfolio Investments. In this day and age, one important due diligence question is how well an acquisition target safeguards its information and systems from cyberattacks. Specific diligence steps could include, at a minimum, discussions with the company’s CIO and a review of critical agreements with vendors providing information technology services. Cybersecurity issues also are often addressed in the representations in acquisition agreements. Depending on the diligence findings and the nature of the company’s business, the company’s practices and approaches to cyber risks could be material to the transaction. These and other transaction-specific issues – not to mention the steps to be taken should a cyber intrusion occur – are extremely important but sufficiently complex that we leave them to be addressed in detail in a separate article.
At the Portfolio Company Level
Securing Portfolio Companies. Portfolio companies face most of the cybersecurity risks discussed above, so private equity firms will want to ensure that their portfolio companies put in place protections of the sort identified above. In addition, portfolio companies also face, and must address, risks specific to their particular businesses. The risk profiles are different for retail businesses that possess credit card numbers and customer contact data; healthcare enterprises that maintain sensitive medical records; and industrial companies that employ business methods so valuable that competitors or even certain nation-states may want to steal them. Taking proactive measures to ensure that portfolio companies have robust and tailored cybersecurity protections in place makes good business and legal sense. The costs of preparation are orders of magnitude smaller than the costs of dealing with intrusions and, more importantly, the potential hit to the value of a portfolio company whose defenses are breached.
Questions for Directors. In the eyes of at least one high-ranking U.S. government official, staying on top of cybersecurity is now a director’s legal obligation. In a recent speech, SEC Commissioner Luis Aguilar said cybersecurity “needs to be a critical part of a board of directors’ risk oversight responsibilities,” and that boards that “ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” Among the questions that private equity firm personnel who serve on the boards of portfolio companies might want to ask are the following:
– When was the board last briefed on cybersecurity? Is there a regular schedule for such briefings?
– Who on the board “owns” cybersecurity risk management? For larger boards, is the audit committee or another committee charged with oversight?
– Have there been any prior data security incidents? If so, how were they handled and what was done to learn from them?
– Does the company have an incident response team and plan? If so, does it involve external as well as internal stakeholders? When was the last time it was tested?
Conclusion
Thoughtful preparation can help mitigate cyber risk. Best practices for implementing IT security measures and corporate governance increasingly are converging with emerging legal standards and regulators’ expectations. The roadmap to compliance too is increasingly clear – and can help both private equity firms and their portfolio companies to reduce their business and legal risk.
Jeffrey Cunard is a managing partner of the Washington, D.C. office of Debevoise & Plimpton and leads the firm’s corporate intellectual property, information technology and e-commerce practices. James Pastore is Counsel and a member of the firm’s Cybersecurity & Data Privacy practice and Intellectual Property Litigation Group.
