The Rising Role of Cybersecurity in Enhancing Portfolio Company Value
Introduction:
In the realm of investing in businesses, the valuation of portfolio companies is increasingly influenced by their cybersecurity posture. As Managing Partner at NorthCap and having spent years working with Private Equity companies, Venture Capitalists, UHNWI’s, and Family Offices, I’ve observed a growing trend where robust cybersecurity strategies significantly elevate a company’s market value, making it more attractive to investors.
The Critical Role of Cybersecurity in Valuation:
Cybersecurity risk is a universal concern across industries and sizes. In private equity, particularly during the deal lifecycle, cybersecurity can no longer be sidelined. Investors have witnessed value erosion post-acquisition due to cybersecurity breaches. The volume and complexity of data managed by businesses, coupled with sophisticated threat actors, make today’s cyber threats more challenging to detect and costly to recover from.
Three Crucial Case Studies to Reflect On:
1. Verizon’s Acquisition of Yahoo!: A Defining Moment in Cybersecurity’s Influence on Mergers and Acquisitions
The landscape of deal-making has seen a shift, with more transactions falling through due to heightened scrutiny of cybersecurity. This trend largely stems from Yahoo!’s 2017 revelation of a data breach, which led Verizon Wireless to reduce its acquisition offer. Initially, Yahoo! had not reported any major incidents, but later disclosed a breach impacting over 500 million users. This revelation resulted in a 3% drop in Yahoo!’s stock value, translating to a $1.3 billion loss in market capitalization. Verizon subsequently deemed the breach a significant event in their agreement, leading to a $350 million reduction in the purchase price, equivalent to 7.25% of the original deal value.
2. Elliott Management’s Involvement with LastPass: The Importance of Cybersecurity Post-Acquisition
In 2015, LastPass, a digital password management company, was acquired by LogMeIn (now GoTo) for $110 million. In 2019, Francisco Partners and Evergreen Coast Capital, affiliates of Elliott Management, purchased LogMeIn for $4.3 billion. However, in 2021, LastPass experienced a major data breach, compromising extensive user personal information. The breach involved access to backup databases containing sensitive data, including obscured passwords, customer backups, encryption keys, and plaintext emails, usernames, and domains. This breach raised concerns about the potential exploitation of weak or reused passwords, increasing the risk of targeted phishing attacks. The breach’s impact on the company’s valuation and investment profitability remains significant, though exact details are not fully public.
3. SilverLake/Thoma Bravo’s Acquisition of SolarWinds: Unexpected Regulatory Expenses Following a Cyber Incident
SolarWinds, a developer of IT infrastructure management software, was acquired in 2016 by private equity firms Silver Lake and Thoma Bravo for approximately $4.5 billion. In December 2020, SolarWinds was hit by a major cyber breach, impacting numerous organizations and government bodies. Suspected state-sponsored hackers infiltrated SolarWinds’ systems, injecting malicious code into their Orion IT monitoring product. This breach, which distributed malware to SolarWinds’ clients, affected a wide range of entities globally. The breach’s aftermath saw SolarWinds’ shareholders file a class action lawsuit against Silver Lake, Thoma Bravo, and key company executives, alleging that the cybersecurity deficiencies and insufficient investments leading to the Orion hack were due to the private equity firms’ focus on short-term profits over long-term growth. SolarWinds later settled this lawsuit for approximately $26 million and disclosed that the U.S. Securities and Exchange Commission had suggested enforcement action against them for their public cybersecurity statements and disclosure practices.
Why Focus on Cybersecurity in the Deal Lifecycle?
Cybersecurity is not just about compliance or defense; it’s a competitive advantage. A business robust in cybersecurity is valued higher than one vulnerable to cyber threats. Understanding the cybersecurity posture of a target business is now an essential component of deal preparation.
Protecting and Enhancing Value through Cybersecurity:
Creating and protecting value in a business is simple when it comes to cybersecurity. If you can ensure appropriate defenses against identifiable threats, and ensure the ability to respond and recover from incidents, you will enhance customer trust. With customer trust, comes customer loyalty.
- Protection Against Valuation Threats: Effective cybersecurity defends against threats that can impact a business’s monetary, reputational, and legal standing.
- Business Resiliency: The ability to recover from incidents affects how a business is perceived and its financial sustainability.
- Customer Trust: A secure and trustworthy company is more attractive to customers and partners, opening more opportunities for success.
Best Practices for Private Equity in Cybersecurity:
Adopt a Before, During, Exit mindset to cyber risk management in all company investments.
Before:
Conduct Cybersecurity Due Diligence
Use a dedicated cybersecurity assurance partner to conduct pre-deal due diligence on the target. The insights from these assessments, when properly conducted, provide critical insights into previously unknown cybersecurity concerns. This allows you to ensure that the target is valued accurately and there are no hidden surprises post-acquisition. This stage is critical for the next phase, as its output will feed the 100-day plan.
During:
Create a Post-Acquisition Plan and Ongoing Risk Management Program
Create a 0 to 100-day post-acquisition plan to remediate critical gaps in maturity that could threaten company value. Then work with an Assurance Partner to regularly assess the company, providing you with a clear roadmap to resilience to protect and create value until the point of exit.
Exit:
Prepare for Buy-side Due Diligence
Remember that when you come to exit a business, any respectable investor on the buy-side will be conducting their own cyber due diligence. It’s critical to prepare for these by documenting all the efforts made to improve resilience and demonstrate maturity. The purpose of this is to avoid due diligence discounts to business valuations caused by an inability to demonstrate best practice implementation and appropriate cyber risk management.
NorthCap Cyber’s Role in Portfolio Value Protection and Creation:
At NorthCap Cyber, we understand the intricate relationship between cybersecurity and company valuation. Our approach involves working closely with you and your portfolio, bridging the gap between business value and cybersecurity risk management. We don’t talk in 1’s and 0’s. We talk in plain English, helping to demystify cybersecurity jargon into real business strategy – all aimed at protecting and creating business value.
Conclusion:
In today’s digital age, the value of a portfolio company is inextricably linked to its cybersecurity posture. Investment firms that invest in robust cybersecurity measures for their portfolio companies are not just protecting their assets; they are strategically enhancing their value and appeal in the market. As we move forward, the role of cybersecurity in driving company valuation will only grow, making it an indispensable aspect of investment strategy.
About NorthCap Cyber:
NorthCap Cyber specializes in elevating the cybersecurity posture of portfolio companies, offering comprehensive solutions that align with business goals and market demands.
Contact us to learn how we can enhance the value of your investments through strategic cybersecurity initiatives.
9vmbzb