Evaluating Cybersecurity Risks and Preparedness in Target Companies

Before committing resources to a potential investment, private equity firms should aggressively evaluate a target company’s cyber risks and cyber preparedness. Some target companies are naturally more exposed to cyber risk than others because they collect and store information that criminals are interested in stealing—information such as customers’ names, Social Security numbers, tax information, credit card information or financial account information. However, regardless of business type, virtually any company that caters to individuals is exposed to cyber risks if it has not adopted policies to protect customer information, or if it only has policies on paper and does not implement them in practice. This article will help private equity firms assess a target company’s actual cyber risks by guiding them through the diligence process. Issues include: 

• what to look for to make sure a company has a comprehensive information security program in place; 
• how to make certain that the components of that program are actually being implemented; and 
• how to ensure that the company’s designated information security officer is effectively monitoring the ongoing information security threats the company faces. 

Does the target company have a comprehensive information security/privacy program? 

A comprehensive information security/privacy program consists of several important components that work together. As part of the diligence process, private equity firms should be sure to review the following policies and enlist an expert to evaluate them for completeness: 

• Written Information Security Program (“WISP”): A WISP should address how the company protects the customer information it collects and retains and explain the technical, administrative and physical safeguards the company has in place to make sure the information is not accessed by criminals, or inadvertently exposed by an employee. 
• Incident Response Plan: This action plan explains what the company will do if there is a data breach or cyber-attack. It lays out how the company will determine whether a given incident constitutes a reportable event, how incidents will be escalated within the organization, names and contact information for internal decision-makers, as well as internal and external counsel, and guidelines for how to investigate the incident. 
• Online Privacy Policy: Every company that has a website should also have an online privacy policy that addresses how the company engages with website users and customers. The policy should explain how the company collects information from users, what type of information it gathers, how it shares that information and whether users can limit that sharing. 
• Privacy Notices: Companies that come within the Federal Trade Commission’s (“FTC”) or the Securities and Exchange Commission’s broad definitions of “financial institution” must, under certain circumstances, tell people what types of information they collect from them, how they collect it and whether they share that information with other organizations. Under certain circumstances, they also need to provide people with the opportunity to keep that information private and to opt out of having it shared. 
• Cyber-Insurance Policy: When a company’s technical or physical safeguards fail, comprehensive cyber coverage can cover the costs associated with forensic examinations, notification costs, legal fees, potential business losses and public relations expenses. 

Is the information security/privacy program actually being implemented? 

A comprehensive information security/privacy program cannot simply exist on paper—the company must also actually implement and monitor the policies it has adopted. Implementing the policies increases the chance customer information will be protected in accordance with industry standards, which thereby decreases the risk of a cyber-incident. Implementing and monitoring the policies will also be important should the company become the target of an FTC enforcement action, as the FTC has taken the position that when a company’s privacy policy tells its customers that it safeguards their information, but fails to actually do so, it has engaged in deceptive trade practices.¹ 

Private equity firms should look carefully at the following areas to determine whether a target company’s information security/privacy program is actually being implemented: 

• Technical safeguards: Companies should have user authentication protocols in place, require secure passwords that must be changed frequently, and block information after several failed attempts to access it. Companies should also encrypt personal information, monitor systems for unauthorized use, and maintain up-to-date firewall and malware protection. 
• Physical safeguards: Hardcopy records containing personal information should be stored in locked facilities and transported in a way that minimizes the risk of disclosure. 
• Administrative safeguards: Companies should ensure that access to customers’ personal information is limited to authorized personnel, train employees on safeguarding procedures and ensure that terminated employees no longer have access to sensitive records. 
• Contracts with third party providers: Personal information often needs to be shared with third-party service providers in order to provide customers with the services and products they have requested. Companies should select service providers who will protect the personal information in the same way the company does and contractually require them to do so. Careful review of these third party contracts should be part of the diligence process. 
• Limits on what information is collected and shared: All companies should limit the amount of personal information they collect and retain. Financial institutions should make sure they share information only in the ways in which they tell people they do. 

Is a designated information security expert effectively monitoring threats to the company? 

Every target company should have a Chief Information Security Officer (“CISO”), or other executive-level employee who is focused on and can speak fluently about the company’s approach to cybersecurity and data privacy. The CISO should, at a minimum, be able to explain: 

• What the company sees as the major cyber risks it faces and how it has prioritized the protection of the associated data. This should involve an in-depth understanding of the company’s data storage architecture, as well as the company’s incident response plan, including how it fits the company’s particular business model. 
• How often each component of the company’s information security/privacy program is evaluated, tested and updated. 
• The company’s responses to any past cyber-attacks or data breach incidents, which should include copies of data breach notification letters, records of how the incident was investigated, and an explanation of how the company worked proactively with law enforcement and its applicable regulator, if the incident rose to that level. 

Conclusion 

In the current environment, private equity firms should expect that a target company that collects personal or sensitive information from its customers or users will be the victim of a data breach or cyber-attack. Appropriate diligence by a private equity firm will, however, enable the firm to adequately assess the risks in making the investment in the target company. 

Footnotes 

_{1) See generally Fed. Trade Comm’n v. Wyndham Worldwide Corp., No. 14-3514, 2015 WL 4998121, at *1 -*2 (3d Cir. August 24, 2015).}