Ransomware attackers appear to be focusing more on recently acquired companies that are flush with private-equity cash, on the heels of a record year for M&A in 2021. Earlier this year, a midsize manufacturer was forced to pay attackers $1.2 million to unlock its hardware systems, about two months after it was acquired by a private-equity firm. A news announcement of an acquisition may offer a perfect opportunity for a ransomware attack.

Proposed cybersecurity rules from the SEC announced in February would require firms to "to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors" as well as report the firm's cybersecurity risk management practices to investors. Ransomware payouts in 2021 for midmarket companies were seen averaging around $1 million, a sum that could impact NAV as well as fund investor confidence, particularly for smaller PE firms.

Here are some key cybersecurity-focused questions for PE firms to ask companies as part of their due diligence during the pre-acquisition phase:

  • Does the target company have a reasonably mature cybersecurity program, which includes formalized cyber incident response capabilities, to help reduce the risk and potential impact of a ransomware incident or other serious cyber incident?
  • Does the company appropriately manage vulnerabilities in its internet-facing technology environment? 2021 was another record-breaking year for new software vulnerabilities.
  • Does the company have dedicated and skilled cybersecurity staff - either in-house, outsourced, or a combination of both - to manage the cybersecurity program and keep abreast of today's risk and threat landscape? The impact of the ongoing shortage of cyber talent continues to be substantial.

A reasonable measure of cybersecurity due diligence ahead of an acquisition can help PE firms to identify potential red flags that they could be buying a breach or a potential ransomware incident, along with an asset for their portfolio.