Cyberattacks targeting well-resourced businesses, especially those with institutional backing, financial support, and deep insurance coverage, are increasingly prevalent. Such businesses are likely to hold significant quantities of data and are viewed as better able to pay ransom demands. PE portfolio companies are therefore now in the crosshairs of sophisticated attackers.
Operational and service outage (often extremely costly in itself) is the tip of the iceberg from a legal perspective, with recovery and remediation costs, contractual disputes, litigation, and regulatory fines all potentially eclipsing the costs flowing from the immediate trading impact. This growing threat level, combined with recent US enforcement action against directors, emphasises the growing need for board level focus on cyber-incident preparedness.
What is appropriate from a security perspective depends on the organisation’s unique risk profile. While companies are commonly reluctant to share full cybersecurity risk detail during diligence, a prompt post-deal review of the board’s analysis of the risks in this area and an understanding of how a target plans to address such risks is critical. Regulators have fined companies for risks inherited in the M&A context. Recent incidents have emphasised the value of focused diligence — for example, companies may be better placed to face down ransom demands if they have high quality and air-gapped data backups. Insurance may also be an option but we have recently seen the market harden with higher premiums, lower coverage, and more robust requirements.
Many organisations fail when it comes to incident response because their plans are untested. For example, reporting requirements vary radically across different geographies, requiring complex legal analysis that often rapidly unfolds during extremely high-pressure circumstances whilst the business is undergoing or recovering from attack. Active preparedness is critical to success and goes beyond simply producing a documented response plan. Reviews, table-top exercises, and C-suite level practice-runs are all important and, in our experience, pay dividends if the worst should happen.
Ransom negotiation (often leading to payment) is an inescapable reality, especially if a business faces existential risk. Even when operating in a legal grey-area (in light of the potential for breaching sanctions rules, anti-terrorist financing rules, and government guidance) if faced with a position where data recovery is impossible, we have seen businesses routinely decide that payment in return for a decryptor key is the most commercially palatable option. These issues can be navigated with advice from expert cybersecurity lawyers and negotiation specialists. However, they will invariably involve a delicate analysis of the risks, a precise understanding of the rules around sanctions and anti-terrorist financing, and an understanding of the regulatory and law enforcement appetite to take action, even against victim companies.
These considerations are particularly important given regulators’ expanding focus. Fines levied against companies (typically calculated on a whole-group basis) have been hitting the headlines for some time. Recently, however, US criminal enforcement action for failing to implement cybersecurity measures and concealing information from regulators (which itself can carry a custodial sentence) has targeted directors and managing executives in their personal capacities. Personal accountability for cybersecurity failings is an evolving area that directors should take seriously.