Specialty Podcast: The Growing Role of Cybersecurity in Private Equity Deals

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

CJ Dietzman (00:09):
Welcome everyone to another episode of the Alliant Specialty Podcast. CJ Dietzman here, Senior Vice President with Alliant Cyber. I head up our cyber consulting practice and am really thrilled to be with you today talking about an exciting and important topic in the realm of mergers, acquisitions and the private equity industry. Let's focus on cyber and technology risk, mitigating and addressing those risks, addressing it through fulsome and meaningful due diligence ahead of deals and managing risks across portfolios. Folks, I am thrilled to have two of my colleagues today who are specialists in this industry and in this arena. Jon Gilbert, who is the co-head of the Alliant M&A practice. Welcome, Jon. We partnered together on so many clients, and I know that you have a lot of experience and perspective on this. Also joined by my colleague Mike White, who is our specialist leader and an expert practitioner in the realm of cybersecurity, technology risk and getting ahead of those risks and mitigating them from a diligence standpoint, and also managing those risks across portfolios of companies. Welcome, Jon and Mike. Thrilled to have you on the podcast today.

Jon Gilbert (01:21):
Thank you, CJ. Happy to be here and look forward to talking about a pretty exciting topic that we're dealing with every day.

Mike White (01:26):
Thank you very much, CJ. Look forward to having the conversation.

CJ Dietzman (01:29):
Well fellows, let's jump right in. Jon, I want to put you on the spot. Thinking back to 2024 and what we experienced in the market, merger acquisition activity across the private equity industry and beyond, what are some of your key takeaways as we take a breath here in Q1 2025? What are some of those key themes broadly that you observed in 2024? Maybe you could put a lens on it as well, what you saw from a cyber and technology risk standpoint, if you could.

Jon Gilbert (02:01):
Yes, you got it. Well, thank you, CJ. 2024 was a record year for Alliant M&A. We had a plethora of deals, tons of deal closings, and really knocked the ball out of the park to deliver for our private equity firms and their portfolio companies. We certainly saw a lot of activity. I think overall the market is still looking for more activity and hopeful for 2025 as far as deals. There's been a record amount of funds raised in 2024. It was another record year for fundraising in the private equity world, and they're going to have to deploy that capital. So we're cautiously optimistic that we're going to be very, very busy this year and really working hard to support our clients through the transactions. I would say we saw a lot of focus from our private equity firms, both pre-close due diligence, but equally as important, post-acquisition monitoring of the cybersecurity across the entire portfolio. It's become a topic that really every private equity firm has embraced in some way, and we've seen them take proactive measures to one, understand the risk going into a deal, how good or bad is the target relative to cybersecurity?

Then after closing, how do we work with the portfolio company to improve their cybersecurity posture and ultimately increase what we call the maturity score over the life of the investment. Then add in complications like add-on investments. Last year was another record year for add-on investments. If you think about it, once a private equity firm has a platform company and they take all the steps to true up the cybersecurity exposure, and then they bolt on a company that's a third of the size and plug it right into the platform’s network, then we open up another can of worms and almost take it a step back. But it's great that we're able to help them both identify for the platform and the add-on acquisitions, how things look from a cybersecurity standpoint, what's good, bad or indifferent. Where I think a lot of clients value our work is given that roadmap of day one post-acquisition, one of the things that we had to put on the agenda, and we will work with a portfolio company to improve their posture and give real time updates to our private equity firms. Pretty exciting year overall and a ton of focus on cybersecurity. It's something that unfortunately in today's world, our clients just can't avoid, anyone really can't avoid being susceptible to cybersecurity activity.

CJ Dietzman (04:18):
Wow, Jon, you covered a lot of ground there. Thank you so much for that. Indeed in my view, in my experience, I'm sure you'd agree, cyber risk and technology risk is always a top five, if not a top three, key risk consideration when looking at these deals and then also when assessing and managing risk across the portfolios. Thank you for all of that. Mike White, as I said, Jon gave us an outstanding macro-view as well as his candid thoughts as the Alliant business leader in this realm for the M&A practice. Mike, what do you think, if you could dive in a bit and talk a bit about key themes you saw in 2024 specific to cyber risk and technology risk that were critical for our clients, things we helped them mitigate. And then the second part of the question is, what's the outlook for 2025, Mike? What do you think?

Mike White (05:03):
Absolutely, and thank you CJ for having me here. We saw critical items across that whole breadth of areas that we work with our clients, as Jon mentioned. We've seen these areas from our due diligence, our post-acquisition and our portfolio protect product. Within the portfolio protect, it oftentimes is the add-ons where the weakest link is, and that's an area that we put additional focus on to raise the cybersecurity program of those companies. So they are at the enterprise level with the rest of the company. From a due diligence perspective, we can continue to be engaged in industries that are highly regulated. One category that our team was engaged in was in the critical infrastructure. Specifically, this is the energy and transmission industry, which has complex cybersecurity regulations. It's an industry that is regulated by the Federal Energy and Regulatory Commission, and also the nonprofit, North American Energy and Reliability Corporation. The cybersecurity requirements are aimed at preventative cybersecurity programs, so that the companies don't experience downtime, but also enable them to quickly recover if an event is to occur. Our job is to really understand the nuances of the businesses, so we can determine not only if they're compliant, but also how the company can improve over the lifetime when it's in that portfolio hold period. We work with companies not only through diligence, but also during the hold with the private equity firm to increase their cybersecurity posture throughout the life of the hold period.

CJ Dietzman (06:34):
Got it. Thanks for sharing that, Mike. Jon, I wanted to pivot back to you for a moment if I can, as the co-business leader for our M&A and private equity practice, Jon. Candidly, just telling us like it is, I think we all would agree on what the upside is for our clients in conducting meaningful cyber diligence ahead of acquisition as part of broader diligence. What's the downside, Jon? If you could candidly summarize it for us, if organizations don't invest the time and take the time to look at cyber risk and technology risk, have you seen it gone wrong, and what's your perspective? What's your message to those organizations?

Jon Gilbert (07:10):
Yes, it's hard, hard to think of a downside to being well-informed, particularly when it comes to cybersecurity. I guess the only thing you could say is sometimes it's better not to know something and be happy than to know something and have to deal with it, so that may be the only downside that I see. I would say by and large, all of our clients do some level of cybersecurity diligence prior to acquisition. It's also a standard requirement that we see from rep and warranty insurance. In every agreement that we see, there tends to be a very robust cybersecurity representation made by the seller. When rep warranty insurance is used to essentially step in the shoes of the seller to provide that indemnity, if there is a breach of the representation, then the insurer's going to want to see that the buyer took the standard of care to conduct due diligence related to cybersecurity of the target. That certainly has helped as well.

An added benefit, it makes rep and warranty insurance easier to get. One of the great advantages that we offer to our private equity firms and strategic acquirers is that Alliant M&A has five core services that no other broker has, period. We're way ahead of our competition. One is insurance diligence, employee benefits due diligence, cybersecurity diligence, IT or technology diligence and then certainly rep and warranty insurance. As I mentioned, rep and warranty insurance underwriting, when an underwriter is being asked to cover a cybersecurity representation made by the seller, there's going to be some level of scrutiny that the underwriters have relative to assessing the exposure for cybersecurity. From the insurer's perspective, covering that representation or that statement made by the seller that things are great, there's no issues, they know no issues and that sort of thing. But Michael, you've been in the trenches I know on countless deals and fighting the good fight with rep and warranty insurance carriers. Why don't you give a minute or two on your experience in that regard?

Mike White (08:57):
Absolutely, Jon, and I would agree. Over the past year, we've seen increasing focus from the reps and warranties insurers on our deliverable, on the depth and the quality of the cyber diligence that we deliver. Their focus is increasing at such a level, they're actually bringing cyber experts of their own to question and review our deliverables. It's not uncommon for us to receive calls, requests for conversations, outside the standard reps and warranty process, to go into depth all around the diligence, when their real goal is to ensure that the company they're insuring is at the right level. Is the programs at the right level? Making sure if something needs to be done before acquisition, it's done. If something needs to be done in the first hundred days, they want to make sure that's going to happen as well. So, they want to make sure that this target is at the level that they expect to provide insurance to.

CJ Dietzman (09:48):
Incredible points fellows. What gets me excited is that Alliant is offering this fully integrated wing-to-wing solution that covers not just technology risk, not just cyber risk, but whether it's reps and warranties, other key risk management and insurability considerations, truly providing that integrated suite of diligence solutions. It's an exciting place to be here at Alliant. Hey, Mike, wanted to ask you a follow-up question. If we can geek out for a moment here from a cyber and technology risk standpoint, are there two or three consistent and pervasive themes that you've seen in the body of diligence engagements that you've done, whether it's around identity and access management or privacy or compliance, anything you want to share with our listeners? Things that you've seen consistently organizations struggle with, which also can cause issues in some of these engagements. What are your thoughts?

Mike White (10:43):
It's all the areas you just mentioned, CJ. The increase of the mobile workforce really has real concerns around access management, identity control. How are you sure the person logging in is the person that you expect to be logging in, given their logging in from any network around the globe? When it comes to regulation, slowly the regulators are catching on and making their requirements more stringent. You can see there's a proposed rule out by HIPAA around the security rule on some of the things they're proposing. A lot of things that weren't mandatory before are proposing to become mandatory. Not only is changing in user behavior the way technology's being used we have to look at from cybersecurity, but also AI is increasing the attack levels as well. When you think about that, it's nice to see that the regulators are on top of the critical areas like patient information, want to make sure patient information's kept secure, our national security grid, want to make sure our energy infrastructure's kept secure. Companies out there, if you're thinking about starting up, make sure you put great endpoint protection onto your systems, manage detection response. You really want to make sure that that's a baseline that you have. Real good identity controls around your users. You want to make sure only your users can log in. They have multifactor authentication, and that anytime you have or are inside a firewall, you want to make sure that there's complete end-to-end wrapping around of all data, data logging and data analysis, such as 24/7 SOC analysis. So without going into too much technical depth, CJ, I'll hand it back to you.

CJ Dietzman (12:23):
Thank you so much. There's a lot there as well, Mike. Jon and Mike, first things first, I want to thank you for taking the time out of your busy schedules to join the podcast and to discuss these topics today. Folks, listeners out there, as you can tell, Jon Gilbert and Mike White are two incredible Alliant colleagues with a lot of knowledge in the M&A space and the private equity space, as well as specifically insurance, cyber risk and technology risks. Please reach out to Mike, reach out to Jon, and as always, CJ here, I'd love to hear from you. Thank you so much Jon and Mike for joining the podcast today. Thank you to all of our listeners for joining us for another episode of the Alliant Specialty Podcast, and we'll see you next time.