Healthy deal flow that enables investment at a price point in line with an exit strategy is the foundation of the private equity business model. It is a given investors will conduct detailed diligence around a target’s financials, market, structure, and many other factors to help confirm their thesis around an acceptable entry price point. Of course a deal should not move forward if the investor’s plans will not make the difference to achieve an outcome, and these diligence steps are designed to maximize understanding, and thus de-risk the investment.
For many private equity firms, the concept of cybersecurity still falls in the category of “other factors,” if it is evaluated at all. As a field that is emerging rapidly and by its nature technical, it is easy to understand why cybersecurity diligence is not yet a widely accepted default element of deal diligence, but that paradigm is shifting quickly.
By treating cybersecurity diligence like it is an element of financial diligence, private equity firms can quickly gain a competitive advantage over slower movers and recognize the gains within the lifecycle of upcoming investments.
As more investors are coming to learn through firsthand experience, cybersecurity posture, even at small companies with limited sensitive assets, can represent a material change to the financial thesis they calculate prior to closing a transaction. With roughly 65% of private equity investments coming in at $50 million or less, and the average cost of recovering from a breach in the SMB sector at about $150,000, the numbers add up quickly, and scale as would be expected with company size and complexity.
Even if the worst case scenario doesn’t hit an investment, with 3-7 year hold times for many private equity firms, it is nearly certain that by the time an acquisition is ready to be positioned for an exit, prospective purchasers will be more mature cybersecurity evaluators than they are today. Even at the smallest companies, the difference between a solid baseline focus on cybersecurity, potentially including investments in technology, staff, or outsourced managed service providers, is likely to generate returns much the way other areas of differentiation like operating efficiency and a fluid go-to-market motion do today.
This evolution in the market creates a great opportunity. For minimal time and expense, investors can not only properly evaluate an acquisition if red flags are discovered, but also gain actionable insights into a company’s cybersecurity posture. In 2020, and even more so by 2025, cybersecurity maturity has a direct monetary value, and for firms that are early movers, the returns will be high.