Specialty Podcast: Protect Your Portfolio from Cyber Criminals

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Brendan Hall (00:04):
Welcome back to another Alliant Specialty podcast. I am Brendan Hall, your host, Senior Vice President of the Cyber vertical here. My colleague and friend, Chad Allan Neale. Chad, say hello to the broadcast.

Chad Allan Neale (00:25):
Hello everybody. It's a pleasure to be here with you today, Brendan.

Brendan Hall (00:28):
I'm excited about this. It's one of my favorite things to talk about. Not just cyber, but cyber specifically as it relates to M&A transactions and how cybersecurity kind of comes into play in that very context. Chad, this is an area you spend all your time focusing on, right? You've been doing this for a while. What is it about these transactions of these companies that are so attractive to cyber criminals?

Chad Allan Neale (00:55):
Brendan, that's a great question and it's certainly something that we've seen, I'd say over the last five, six years. We saw a pattern way back then that there always seemed to be a breach at one of the portfolio companies, and it always seemed to happen around the time that the private equity firm made some kind of announcement of the transaction. So, they might send out a press release that announces that they've just acquired so-and-so portfolio company. And it got me thinking way back then that the cyber criminals were actually paying attention and they were using that as an opportunity, because they knew a couple of things. They just got acquired by a new private equity firm. There is going to be quite a bit of money being transacted. You're going to have relationships between parties that are not very strong.

In other words, the portfolio company doesn't know the way the private equity firm typically is going to transact when it comes to management fees or other types of requests for wire transfers. Then you combine those dynamics with the fact that most of these portfolio companies in the middle market have been so focused on building a business that they could ultimately find a buyer for, that they really have not spent much, if any time, thinking about cybersecurity. They've been focused on what is going to make my organization operate optimally so I can go to the market and find someone that's going to be interested in acquiring this business. And unfortunately, cybersecurity's been down the list of things that they look at from a value proposition, and a lot of the sponsors and the private equity firms that are acquiring these companies, they really didn't pay much attention to cybersecurity, five or six years ago. They just really started to think about it and how they could use it as an EBITDA lever to help valuation and value creation. But when they started to focus on IT, they weren't thinking about cybersecurity. And it's really only the last two, three years where you see cybersecurity being very much part of almost every transaction today. But even still in those transactions, in due diligence, we will find all kinds of interesting things that are on the roadmap from a cybersecurity standpoint. But here's another problem that happens. After the transaction, the private equity firms are focused on legal optimization, financial optimization, so many times they never get back to all the things that were uncovered in due diligence from a cyber perspective and actually go address those things. So again, you're dealing with a company that is pretty nascent from a cybersecurity standpoint. There's a roadmap out there that nobody's really working, and the private equity firm is telling the world about this transaction and getting everybody's attention.

Brendan Hall (04:20):
Wow. Yeah. So, there's a whole bunch of different risks that are being brought about there and not being paid as much attention to as they probably should. As you say, just looking at this most recent breach report that so many of the controls are these basic cybersecurity controls. It's not like companies that have very complicated networks with multiple locations around the globe, but they've got tons of different technology platforms. It's really some of the basic stuff. The MFA and the things that the insurance carriers are most concerned with, that's where I think we're seeing a lot of these breaches be prevented.

Chad Allan Neale (04:54):
That's been the case. And it's one of the reasons I love working in this space and working with portfolio companies, because we talked about the fact that they have been focused on building a business and cybersecurity's been an afterthought. The good news is there are some foundational things that you can put in place across your portfolio that doesn't require tremendous amount of investment. There's an investment, absolutely. But, when you think about the prevention capabilities that these investments are bringing versus the cost of a breach, I call it a no-brainer. You've got to make these investments, but again, we're not talking about some super flashy, sexy cybersecurity solutions that are handling a very particular attack. We're talking about the cyber hygiene. The Verizon breach report has made it clear year after year that 90% of all the breaches that they ever see come across the wire could have been prevented by that fundamental cybersecurity hygiene.

So, this is the way I like to think about it. There are two kinds of attacks in my mind. There's what I call the opportunistic attacks. Where someone is poking around seeing what they can find. Walking around the house, is there a door unlocked? Is there a window unlocked? If they don't see anything, they move on to the next house. And they start checking the doors and the windows and they're going to stop at the house that has that window open and there they're going to poke their head in the window and see what's in there. Oh, okay, there's a safe there, and so on. So, those are the opportunistic attacks and those are the kind of attacks that so many of the portfolio companies that I work with are spending so much time trying to respond to.

And it's so disruptive because someone's clicked on a phishing email. They're not patching their system. So, when someone clicks on that phishing email, there's an exploit for a particular vulnerability, and you've never patched that vulnerability system. Now that phishing attack has got a vulnerability that they can exploit, and now you've got a problem. And I would get calls from private equity firms every month or two, the same private equity firm, about a different PortoCo that's had another breach. And I kept looking at these are things that are so easy to prevent. So, that's the message I always try to bring to the sponsors and their portfolio companies - if you take care of patching, if you take care of MFA, if you require some level of privilege, access management solutions so that your administrative accounts have got a couple layers of protection, including MFA, and go through some of those foundational elements, you can move the needle from a security posture and really go from zero to a very strong security posture in a fairly short amount of time and not a tremendous amount of investment.

Now, conversely, the other type of attack is the targeted attack. Those are the advanced, persistent threats. Those are nation states; those are difficult to defend against because if you have a highly motivated attacker, they're going to find a way into your network. And that's where it becomes more of a focus to be able to detect that you've got something on your network, and therefore you can act and try to eradicate it. Today, if you talk to the FBI, they'll tell you that the average company to figure out that they've got an active breach going on in their environment, it's somewhere north of six months before they can figure it out. And it's usually a third party like the FBI or maybe an angel hacker that's informing the company that they've got a problem.

Brendan Hall (08:59):
Right, and slowly but surely over time, certainly starting with some of the larger sponsors and private equity shops out there, they're really trying to get a handle on risk across the portfolio. How are you seeing the nature of their role? Private equity sponsors, you'd think it would be a hundred percent in their court; some of them have a different approach, some are more like dictatorial for lack of a better term, and some hang back and say, you guys do whatever you want. So, what do you see as an effective role for portfolio risk management as it relates to what the sponsor should be doing?

Chad Allan Neale (09:30):
Well, this has probably been the most interesting evolution that I've seen over the 10 years that I've been a hundred percent dedicated to working with private equity firms and their portfolio companies. And that's the “cultural change” that you see at the private equity firm. Now, when I first started in this business, everybody wanted to talk to me about cybersecurity. Every sponsor, every private equity firm; if I came to them and said, let's schedule some time to talk about cybersecurity. They would all take my meetings. They would all take a bunch of notes, but inevitably, when it came time to do anything about it, then they would sit back and say, it's really against our culture to force our portfolio companies to do anything or to work with anybody. You know, we've acquired this business, we trust management to do the right thing, and that's the way we operate.

And then I would get the phone call three months later and they'd be like, oh, we've got a problem at a PortCo. Can you go help them? So, over the years, there have been so many breaches at portfolio companies, and it's become more and more of the pain point besides the pain that the PortCo fills and the sponsored fills. You've got LPs out there and the limited partners are wondering what are the private equity firms doing to protect their investors as it relates to cybersecurity breaches at their portfolio companies? So, the LPs are starting to put more pressure on private equity to move into more of a hands-on approach to this. You had a big push over the last couple years around ESG. Well, cybersecurity and privacy are certainly part of an ESG program. When you think about governance, and you think about the social aspects of an ESG program.

Anybody that's talking about investing with ESG in mind, they need to be thinking about cybersecurity and actively monitoring how those portfolio companies are actually achieving those goals. So, between the pain points, the fact that there's outside parties pressuring them, private equity now has pivoted and you're seeing more of them taking a much more proactive stance around cybersecurity risk management. Now I'm actually working directly with these private equity firms and across their entire portfolio to help them monitor how their portfolio companies are performing from a cybersecurity standpoint. So, we're not going in there and saying, hey, you're going to work with Alliant, and Alliant is going to be your cyber provider. Instead, we're coming in as a partner and working with the portfolio companies to benchmark what they're doing, give them credit for the things that they're doing and the partners they're working with. More importantly, help the private equity firm find those portfolio companies that are just lagging in putting a cybersecurity program together, and in that case, we've got different things that we do to help them bootstrap their cybersecurity program.

Brendan Hall (12:38):
Yeah, exciting times indeed. And speaking of the approach that you've developed here for our team, managing cyber across the portfolio has been down selected as a finalist, right? For the M&A Advisory Awards?

Chad Allan Neale (12:51):
That's right. So, we submitted our application for the Operating Partner Forum award ceremony that M&A Advisor hosts on an annual basis. It's in New York. We were selected as product of the year. That product, we call this Portfolio Cyber Security Surveillance, where we look at the entire portfolio and we help to provide that oversight for the private equity firm. But we also, because of our very unique approach to mergers and acquisition services as a broker and a technology practice, were recognize as firm of the year because of that marriage of insurance questions as part of a deal, and the technology and cybersecurity questions that we are helping to uncover and answer for our customers.

Brendan Hall (13:47):
Yeah, that's great. Congratulations on that. We are waiting with bated breath for the announcements.

Chad Allan Neale (13:52):
The exciting part is we've moved away from spreadsheets and PowerPoints. We've got this entire service tech enabled, so my customers can log in to see their entire suite of portfolio companies. They can get an aggregate view of how the collection of portfolio companies are performing, which ones are lagging behind. It's very easy to see, but then they can also click in and see each individual portfolio company and see what our assessment results were. We can see the roadmap that we've created with the portfolio companies and how that roadmap is progressing over the course of a calendar year. So really excited what we've been able to bring to the market and the reception that we received.

Brendan Hall (18:32):
Well, that covers everything we were trying to hit today. Appreciate everyone taking the time to listen to us, and if you have any questions, you can contact myself or Chad. Chad, thank you much for your time and we look forward to seeing everyone else out there.