Search
Close this search box.
EPISODE 155
Cybersecurity and data privacy in M&A transactions

EP 155: Cybersecurity and data privacy in M&A transactions

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

April 9, 2024

The role of cybersecurity and data privacy due diligence when buying or selling a company has gone way up compared to five years ago. Why? And, what’s at stake? Let’s find out with our guest Brian Levine. Your hosts are Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today on episode 155 of the Cyber Risk Management podcast?

Kip Boyle: Hey, Jake, we are going to tackle something that I don't think we've ever really talked about as a dedicated episode, and that's the role of cybersecurity and data privacy within the context of company mergers and acquisitions. This is going to be a great thing to talk about, because we're going to get help. We have a guest, his name's Brian Levine, and he's a managing director at Ernst & Young, and he works in the Strategy and Transactions, Cybersecurity and Data Privacy Group. So it all lines up, and I think we're going to have a great conversation. So Brian, thank you for being our guest. Welcome to the podcast, would you introduce yourself so that everybody knows something about you and your work?

Brian Levine: Yeah, absolutely. Well, thank you very much, really excited to be here, thank you for having me. I am Brian Levine, as you mentioned, I'm managing director of EY's Transactions Cybersecurity and Data Privacy Group. We are a very unique group of 50 cyber and data privacy geeks, that just focus on the transaction and private equity space. So we've done over a thousand cybersecurity and data privacy due-diligences. We work on integrations, on separation, so-called corporate divorces. We work on exit readiness, sell-side diligence, IPO readiness, and we help our private equity clients secure their portfolio during the hold or value creation period. And I have kind of an unusual background for consulting. I joined EY about five years ago from the U.S Department of Justice, where I was actually a cyber crime prosecutor, and national coordinator for the other 300 cyber crime prosecutors around the country. Prior to that, I was a regulator with the New York Attorney General's office in their internet and technology Bureau. And prior to that I spent about 10 years doing technology and securities litigation with some big law firms, primarily Morrison & Forrester in Palo Alto, better known as MOFO, and Paul Weitz in New York, which is a good firm but has no funny abbreviation, so maybe it doesn't count. That's a little bit about me. Pleasure to be here today.

Kip Boyle: Oh, that's fantastic.

Jake Bernstein: That's great. We have a lot of similarities in our background. I was in the high-tech unit of the consumer protection division of the Washington State Attorney General's office, as I believe we have discussed in the past. So definitely understand that. And maybe let's start by just kind of digging into a little bit of that background, and what that background brings to the work that you do now, and we'll of course talk about that, but I'm really fascinated about that. I'm curious to hear how you look at that.

Brian Levine: Yeah. Well, it's very helpful, let me put it that way. Very helpful for the work I do now, because the challenge of the space that I'm in, is that I'm dealing almost entirely with business people, and not with technologists. I'm getting the information from technologists, but then I am reading it out, essentially to business people who are deciding whether to acquire a particular company or not, and how much to pay for it, what conditions should be associated with the transaction, and similar type questions that are really business questions. And they don't really want to get into the minutia of the technology, they just want to understand how does it impact the deal, the risk associated with the deal, and the terms of the deal. So it's really useful not only to be able to translate the technical into the business side, but also to be able to think about the risks in terms of the practical implications. What is a regulator going to think about this particular transaction? What is a court going to think about this particular transaction? And what is a plaintiff, a potential plaintiff going to think about the transaction? And where does the risk really lie? Because nobody has perfect security, there's no such thing as perfect security. It's just sort of understanding where these companies are along their journey, and how that may impact risk.

Jake Bernstein: That's great. And one of the things I think is so very true, is that when you're working with the businesses, they do need that translation service. I feel like a lot of the time that is what our role is, is translators between the security and the technical and the business and the leadership-

Brian Levine: And the legal.

Jake Bernstein: Yes. And I think that it's a hugely important aspect to what we do. Last thing I want talk about before we go into the actual script, because that's what we do here is ignore our scripts. You mentioned that you primarily are on the private equity side. So maybe just explain for the audience who really ... I mean Kip, I think we've done one or two previous episodes about M&A, but there's a lot of uniqueness to the M&A world, and there's a lot of different sub parts to it. So like Brian, you're doing private equity, which is different than huge publicly traded companies. So maybe just give a brief overview of what you mean by that, so people can kind of get grounded in where we are from a business standpoint.

Brian Levine: Yeah, that's a great question, but let me clarify, I really do both, and I can tell you a little bit about what the difference is. So when we're doing corporate acquisitions, it's more likely that there's going to be a longer period of time to focus the diligence, to understand the target. And in my experience, it's more likely we're going to have exclusivity, which means that there's not a lot of other companies looking to acquire this one. So it's a more genteel environment, if you will, and we can dig a little bit deeper, and our clients generally want us to dig a little bit deeper. Then on the other hand is the private equity side, and on the private equity side, these guys do a lot of transactions. Basically what a private equity fund is, is an investment fund that exists typically to buy other companies, to increase their value, and thereby increase the value to their investors.

So all they do is buy companies, or interests in other companies, it might not be a hundred percent interest, it might be a minority interest, but in any event, they're concerned about the companies they're buying, they don't want to buy into a breach. But what's different in that environment is, many of the deals are very competitive, they're very fast moving, and so you're more likely to not get all the information you need, and have to deal with ambiguity, and inference, and getting information from the outside in, because you won't always get it from the target itself. So it's a much more fast-paced environment. The other difference, and this doesn't have to be a difference, but for our private equity clients, and we may talk about this a little later if we get that far, they have to think about the security of all these independent companies, during what they call the hold or value creation period.

Typically, they acquire these companies, they hold them for five to seven years on average, and then they sell them. But during those five to seven years, they want to make sure they're secure and they don't have breaches. So we help with that as well. Now on the corporate side, sometimes there's something similar going on, and if you have a, acquisitive corporation, one who acquires a lot of companies, and doesn't really integrate them, then they may also have a portfolio of subsidiaries that sort of has to be managed in a similar way from a security perspective.

Jake Bernstein: Super helpful background. So I think one of the things you said that is fascinating is that there's this hold period, right? Five to seven years, because the business of private equity is to buy, hold and then sell, right? And if you allow a breach to occur during that hold period, well, you've just diminished value of that, the enterprise value has gone down. And I think one of the more famous examples of this, though it's not private equity, wasn't it Verizon who bought ... oh, I guess we're going to talk about the Verizon Yahoo example is a classic one, where a data breach cost ... was it? It was a lot of money. I don't want to-

Kip Boyle: It's a quarter billion dollars as I recall.

Jake Bernstein: Yeah, I think that it was, and we will talk about that. Okay. Brian, what is the importance of doing effective cybersecurity data privacy due diligence, in the diligence phase, whether it's a big deal, a small deal, private equity, or otherwise?

Brian Levine: Yeah, so what's interesting about that question Jake is, there's different phases of a transaction. There is the diligence phase, what's called the sign to close phase, and then the post-close phase. And a lot of acquirers who are not as familiar with cybersecurity, or who don't recognize the risks there want to push it off as far as they can. Because they feel like, well, this isn't one of the major risks we're focused on. So they might not think that they need to do it during the diligence phase, which is the first phase. And that's okay, it's better late than never, but the earlier you do it, the more advantages there are more benefits of doing diligence, and I want to discuss at least six of those. So one is, if you do it during the diligence phase, and you identify a deal breaking risk, you don't have to go through with the deal. Now, most of the time, that's not going to happen. Most deals are going to go through even though there are cybersecurity concerns, but we have had a few where, based on the cybersecurity and maybe some other concerns, the client said, "Yeah, we're going to pass for now." So if you wait till the sign period, the sign to close or post-closed, it's too late to get out of the deal, in most circumstances. That's the first thing. Go ahead.

Jake Bernstein: And just on that point before we move on to the next one is, do the deal or not do the deal, aren't the only two options, when you discover a cybersecurity incident. You can make purchase price adjustments, you can do little indemnity tricks on the back end within the agreement. So it's important, but all of those things can't be done if you haven't done the diligence, with time to do it.

Brian Levine: Yes, in the phase to do it. And you made two great points there. So one is, if you do the cyber diligence during the diligence phase, and you realize you're going to have millions of dollars in expenses related to getting the company's security in shape, you can reduce the acquisition price potentially to cover that. And we have reduced acquisition prices by as much as 10%-

Jake Bernstein: Which is a lot.

Brian Levine: Which is a lot. In the instance I'm thinking of, it was over a billion dollars. So don't ask me if I got any percentage of that, unfortunately I didn't.

Jake Bernstein: It's not how these things work, which is so unfortunate.

Brian Levine: No, very unfortunate. If that happened, I would no longer be working. But in any event, you can reduce the acquisition price significantly. And to your point, you can also get better contractual protections if you know more about the environment and what the risks are. If you're just shooting blind, you're going to get the sort of general contractual protections that every lawyer says to put in, but if you know specifically what they don't have, and need to have, or what you're concerned about, you can put in deal language specific to those things. So that's exactly right. Even if you don't get out of the deal, which is less likely, you're hopefully going to get these contractual protections, or reduce the acquisition price.

Kip Boyle: So Jake, how are you so knowledgeable about this?

Jake Bernstein: You're asking me?

Kip Boyle: Yeah. How do you know about these questions to ask, and the little nuances? You're doing some of this work, aren't you?

Jake Bernstein: Oh, because Kip, about a third of my practice is this these days. So yes, it's not a part of my practice that we spend a lot of time talking about in on the podcast, but that's how Brian and I know each other is, we've worked on several, at least one or two, at least, I think at least two deals simultaneously. So yes, that's how I know what's going on here.

Kip Boyle: So that brings up a question. So if Brian is a recovering attorney, why does he need you?

Brian Levine: Go ahead, Jake.

Jake Bernstein: Well, so ...

Brian Levine: You want me to answer it?

Jake Bernstein: Well, you answer first and I'll-

Brian Levine: No, so the diligence is always a very collaborative effort. There is never a diligence that we do, where outside counsel is not involved, because you got to have a lawyer ... you get a lawyer involved when you're buying a house, and hopefully your house is a lot cheaper than some of these companies that we're looking at, unless you're Steve Bezos or something like that, or Jeff Bezos, sorry, combining two of the billionaires. So you're always going to have outside counsel, and the outside counsel is typically looking at a lot of different areas. So they're typically looking at all kinds of legal risks, including intellectual property, including security, including compliance across the board, including the deal terms itself from a legal perspective. So what we're focused on at EY, and whenever you bring a consultant in, because there's also almost always an outside accounting consulting firm involved, we're looking at different areas that have some overlap, but not complete.

So we look at accounting, finance, tech, product and commercial. Is this company actually competitive, from a product and commercial standpoint? Strategy, we're looking at their IT, how much tech debt do they have? We're looking at their cybersecurity and their data privacy, and we're often looking at doing all kinds of technical tests and things like that. So when we're involved and Jake's involved or another attorney is involved, we like to collaborate from the beginning. We like to meet with them right at the beginning, and understand what we're both doing. And then we like to take advantage of the fact that we're both involved to get as many meetings, and get as much information as we can, and then to make sure we're aligned. Because a real ton of information is thrown at you in the context of a transaction over just a couple of weeks, and it's really easy for one person to miss something, or to have a different take on something. And it's really great to have that collaboration with a law firm.

Jake Bernstein: And we're also doing different things that inform each other. So for example, the lawyers have to write what's called the diligence memo, and that can serve a couple of different purposes. EY will write its own type of a report, but that report will get incorporated into the legal memo, which is privileged, whereas the report technically wouldn't be, unless it's supervised by counsel, which is a lot like some of the work we do Kip, and then we also draft and negotiate the actual purchase language, right, now, Brian could probably do that since he is, as you said, a recovering lawyer. But at least for now in the US, consultants can't practice law. That's just not how it works.

Kip Boyle: Okay. Okay. That's good.

Jake Bernstein: And to be honest, as we already kind of mentioned, Brian is not the most common of ... he's much different than many consultants. Most consultants in this area are not lawyers, they're not former federal prosecutors, they're technical experts. And so that's a big part too.

Brian Levine: And to be clear, I still consider myself a lawyer. I don't consider myself recovering, I haven't recovered yet. I'm still admitted in New York, DC and California. And EY is still I believe the largest law firm in the world, it's just in the United States we can't practice law to American Bar Association rules, because they don't think they can compete with me. I don't know why they're so scared of little old me, but somehow the American Bar Association doesn't think you compete with me. But you're right, we're not practicing law in the US, so we're not drafting contracts, we're giving our opinions on security, we're doing technical testing, and we're able to get quite deep in terms of identifying risk and understanding its impact on the deal.

Kip Boyle: Okay, so let's continue on then. I appreciate the aside, because I just want to make sure that everybody listening can really understand well, hey, why do we have two lawyers here? How does that work? So that's cool to get clarity on that. Now, counterparty risk, and transaction risk. When we were doing show prep, Brian, you mentioned these two different types of risks, and I would love for you to just describe them and what's different about them? Why is this important?

Jake Bernstein: I also think we had five things left to go. We only got through one.

Brian Levine: Well, we got through ... yeah. Let's see what I can do in the context of the next question. We got through a couple of the reasons to do cyber diligence during diligence, but so counterparty, there's two kinds of risks associated with transactions, when it comes from a cyber standpoint, and this is the Cyber Risk Management podcast, so we got to manage those two risks. The first risk is counterparty risk, and that's the risk that the target, the company you're looking to acquire, is already breached, has already had a security incident, or that their posture, their security posture or their compliance posture, is so immature that it's really only a matter of time. So we'll talk maybe in a little bit about Verizon Yahoo, and Marriott Star ward, but those are examples of counterparty risk. The other kind of risk is transaction risk, and that's the one that we've been seeing a lot since Covid.

And that is the risk that the transaction itself, and the increased publicity around the transaction, will actually result in the target getting ransomware or another kind of cyber incident. Sometimes it's the acquirer will get it as well, or instead. And what I have discovered, I initially assumed that what happened was, the announcement went out, and all this ransomware actors would pound the target with ransomware and one would eventually get in, and that's what we were seeing. But I discussed the issue with my former colleagues at the DOJ, who have been investigating this for quite some time, and they say that does happen. But what's more common is that the ransomware actor reads about the announcement, and then reaches out on the dark web to the initial access brokers, that's their fancy name, IABs, who might be in the dark web forums or in the marketplaces and say, "Does anyone already have access to this target company?"

And shockingly, in most instances it seems that somebody raises their hand and says, "Yeah, I've already pwned them." And then I guess the two get together and split the proceeds of a ransomware attack. And it's important to know that in many cases it's because they've already been pwned, if you will, that leads to this result because it impacts how we treat the acquisition in terms of reducing that risk. And reducing that, the impact of the increased attacks upon announcement, is one of the benefits of doing cyber diligence during the diligence phase. Because if you've waited and the announcement has already happened, then you can't go back in time necessarily and reduce the risk.

Jake Bernstein: Now that is ... okay, so Kip for me, that was new information, and super fascinating. I think it also requires us to caveat one of the more common pieces of advice that we generally, which is to say to clients, "You have this idea." One of the fallacies is this ... why am I blanking on the cute little phrase, but the reliance on staying hidden. What is the phrase I'm talking about? It'll come to me.

Brian Levine: Security by obscurity?

Jake Bernstein: Thank you. Security by obscurity. It was a cute phrase, and it was just not coming to my mind at the moment. But yeah, one of the reasons we often tell people that security by obscurity doesn't work is that they aren't being targeted, this is just how things happen. But that isn't always true, is it? Sometimes you are targeted, and I think that just, one that goes to the general matter, that cyber is a dynamic risk, and it isn't predictable like weather events might be, or at least it's both and it's more complicated than that. So that is a really important point to always remember. And then this idea of these, what'd you call them? Existing access?

Brian Levine: Initial access brokers.

Jake Bernstein: Initial, initial access brokers, is fascinating, also terrifying. But that's one of those ... I think it's a good reason for cyber risk analysts and cyber risk managers to understand the dark web, and the criminal element, which is something that a lot of, so-called, civilian cyber risk managers don't.

Brian Levine: inaudible which has helped a lot of our clients, is that my previous approach had been, all right, when you tell me, client, that you're likely to go forward with this transaction, let me meet again with the target, and I'll tell them how to batten down their hatches to survive or do better with the increased attacks upon announcement. Now I still do that, but now I know that battening down the hatches might not help that much, if the bad guys were already in the system. So instead, or in addition to, rather, what I try and do almost on every acquisition now is, a couple of weeks before announcement, to start a compromise assessment. Which is a technical test, of course the target has to agree to this, but in my experience, the target does not want to end up with ransomware either. They don't want the transaction to be forever known for that, instead of this great event.

So we'll start a compromise assessment a couple of weeks before announcement, which is essentially a way for us to find, is there any malware already there, are there any backdoors, are there any bad actors in the system? Are there any critical or high vulnerabilities that are likely to be exploited upon announcement? And then we can close those hopefully prior to announcement, or if we can't, maybe we can delay announcement a little bit till we can close them, and make sure the posture is appropriate.

Jake Bernstein: Super interesting.

Kip Boyle: Do you have any stories you can tell us about things that you've found that were hair raising, or just notable in some particular way?

Brian Levine: Yeah, absolutely. Well, just a couple of weeks ago we did one of these compromise assessments, and I get a call at some odd hour, and I hop on a Team's call, because the Compromise Assessment team or Expert Threat Hunters, this is all they do, says "We see a live actor in the target systems. It's a ransomware actor, they're trying to do their ransomware thing." And the question was, what do we do? So they had already quarantined the system, meaning they disconnected that system from the internet, and from the rest of the network. So the damage that could be done at that point was limited, but the question was whether to wake up the client, whether to wake up the target. So the first thing I asked them was, "Let's go over the evidence that this is actually ransomware. This is actually malicious activity," because sometimes, as you know, some activity that appears to be malicious could be innocent and I didn't want to wake everybody up, and then it turns out there was a reason for it.

In this case, they started walking through, all right, he goes on, he downloads from offline, he uploads this ransomware tool, and then I'm like, "All right, okay, I get it. This is not a false positive." So we started to immediately get the client involved. And the ultimate outcome of this, besides having stopped the ransomware attack, was it turned out that this company had been the victim of a previous incident that they thought was fully resolved.

Jake Bernstein: That's so common.

Brian Levine: But it was obviously ... so common, obviously it was not fully resolved. And so they retained EY's Incident Response Group, the target itself retained EY's incident response group, to make sure it was fully, fully resolved, which we were able to do. And then we continued monitoring through the compromise assessment. Ideally, what we like to do is monitor through the compromise assessment, before announcement, and during announcement, and after announcement, so that if the increased attacks start happening, we can kind of be there to help triage and help the target. Which typically is not as well defended as the acquirer, but there are times where the acquirer is not so well defended either. And they've asked us to set up live compromise assessments on both for the announcement period.

Kip Boyle: Man, that story is so revealing of so many things. Thank you for telling me that.

Brian Levine: Yeah, no problem.

Jake Bernstein: Let's keep going. Yeah.

Brian Levine: All right. Yeah, so that was the counterparty risk and the transaction risk. And I had mentioned briefly the Verizon Yahoo and Marriott Starwood as being good examples of the counterparty risk. Would that be useful for me to discuss those cases briefly? So these are good bookends, because one of them things went well and one of them things went poorly. And the difference was, when did you identify the security incident? Verizon found out prior to close that Yahoo was already breached, and that all their accounts had been breached. As a result, Verizon was able to reduce the acquisition price by $350 million, which isn't chump change, but what most people don't realize is, they were also able to force Yahoo to create a surviving entity, which Yahoo called Altava. I'm not sure what that means, but that was the surviving entity, and the rule was it had to be sufficiently capitalized to cover up to 50% of the exposure from this incident.

And since that happened, Altava has continually been trying to dissolve and take that money back to whoever's money it is. And the Delaware Chancery court, which has been overseeing it, has continually been saying, "Sorry, Altava, you're keeping that money right where it is, because the damage is here, the exposure could be as much as 3 billion dollars with a B, and so you may have as much as 1.5 billion in liability in addition to that 350 million. So this is a great story of Verizon handling this situation appropriately, because they identified the issue prior to sign. On the other hand-

Jake Bernstein: Yeah, exactly.

Brian Levine: The other hand, Marriott did not identify the fact that Starwood was breached prior to its acquisition, and so just had to live with that. So far, there's a lot of disagreement in the press about what this has cost Marriott, but my guess is it's probably in the hundreds of millions of dollars by this point. The litigation is still ongoing, even though it's been almost 10 years now, I think, since that originally happened. And so we don't know what the final bill will be, but the other aspect of it is the reputational impact, because nobody remembers except for us really in the business, that this was Starwood that was hacked. People think of it as the Marriott hack, and so they just own that hack as a result. So it's a perfect example of counterparty risk, and why it's important to identify that as early as possible.

Jake Bernstein: Yeah, that's a huge great story, and just shows the difference that exists between timely cybersecurity and privacy diligence, and poorly timed.

Kip Boyle: I think if there's anybody in our audience that was unclear about that before now, it should be completely clear.

Jake Bernstein: So let's move ahead to post-closing, to what you call the value creation period. How do you secure the portfolio during the value creation period, and how much ... let's just start it by asking, how much should the fund or the private equity investor, the owners who hold it, how much should they be involved in overseeing portfolio security, and why might that be important or why is it a debate?

Brian Levine: That's a great question, because there was a big shift in the last couple of years on this issue. When I started doing this work about five years ago, it was the view of PE that we'll do cyber diligence maybe during the diligence phase, but then we're going to be as hands-off as possible with respect to cybersecurity. And I think that was true for two reasons at least. One, they didn't want to be micromanagy, because they wanted to be seen as the right PE to go with, because now we're going to stay hands-off, at least in this area. And two, they didn't want liability potentially flowing up to the fund level. They didn't want corporate mail being pierced so to speak. They wanted that arm's length separation. But their view has completely changed in the last 24 months, 36 months or so, last two or three years.

And I think the reason is because of three main things. One, we've seen a huge explosion in regulation of the cyberspace, and the data privacy space. Virtually every state in America and every country abroad, either now has a data privacy rule, or cybersecurity legislation that's out or is in the works. Federally, we see all kinds of legislation, probably the most, well-known at this point is the SEC's new cyber rules for registrants for SEC registrants. And so the stakes have gone up from a regulatory perspective. The second factor I see is that there's just been an explosion of very high-profile cyber incidents, incidents like SolarWinds, which may have impacted 18,000 companies, incidents like Colonial Pipeline, which resulted in grandma filling up her plastic bag full of gasoline. She didn't really understand the incident, but she wanted to make sure she had gas. You knew this cyber had truly hit home when you saw grandma on TV.

And then the final thing is, in the last couple of years, cyber insurance costs have gone up by something like 400%, and exclusions have gone into place where you're paying more and getting less, and it's been hard for companies to even get cyber insurance. So I think these factors have caused private equity to say, "Look, at the fund level, we need to start thinking about securing the portfolio. It's now more risky for us to do nothing, than for us to try and help at some level." And I've talked to a lot of attorneys that focus in this space, and they all agree that it's more for them to not do anything, than for them to do something. And at this point, what I find is, each private equity is handling it a little bit differently, because private equity is very different. There are some sector-specific private equity funds. There's some super large private equity funds that have hundreds of portfolio companies. There's some small ones that have only five right now. There are some that are regional, there's some that are global. And so there's no one-size solution that fits all here.

What I like to do is meet with a private equity at the fund level, and have a whiteboarding session with them, and figure out what makes sense for their portfolio. But usually the common elements of these kinds of programs are, one, you're figuring out some baseline from which to assess your portfolio. So you have some visibility, some apples-to-apples comparison across your portfolio. So whether that's going to be a framework like NIST or ISO 2701 or CIS top 20, or 18, or whether you're going to come up with your own baseline controls, is going to differ from fund-to-fund. And that decision is not a one-time decision, it can evolve over time and usually does.

The other element of it is some form of regular assessment, and that assessment can be very different in terms of how light or heavy it is, whether it's all inside out, whether it's all outside in, whether it's both, whether it involves technical testing or not. It usually also involves regular check-ins with the portfolio companies, to understand where they are, how their risk level has changed, how what they're doing has changed in the marketplace, and how they've developed their cyber program. And then the final element that's common amongst these portfolio companies is, they want to ... or at the fund level, they want to have a single pane of glass view of what does security look, what does a risk level look like, and what does the maturity look like across the portfolio? So they want a provider to be able to help them get that sort of visualization at any given time, because they're always now having to report to their boards and their management about how they're managing this risk.

Kip Boyle: That last one seems like it would be the toughest one. A single pane of glass.

Jake Bernstein: And what do you mean single pane of glass? That's what I was curious. Do you mean a single screen with a dashboard or do you mean I can quickly score through transparency?

Brian Levine: Well, inaudible a hologram is best if you can have sort of a ... but some boards don't know how to put on VR glasses. So yeah, we're talking dynamic dashboards, or other technology to help one quickly ask questions about the portfolio security, and have those answered in real time, as opposed to having to call somebody or having to compile a lot of data.

Jake Bernstein: Interesting. I mean there's a lot of change going on. And then what size firms are you most active in? Are you doing mostly larger PE firms? Or do you get involved in middle market, where it seems to me that the cyber risks are probably higher, simply due to lack of resources? Where do you generally play?

Brian Levine: It's a great question. So we play across the whole range. I have clients, PE clients who have five portfolio companies, and I have ones that have hundreds, and we play across that whole space. The big difference, however I would say is, who we're working with at the fund level. At the larger funds, they now have someone at the fund level in many cases, who is just focused on security, or security and maybe IT for the portfolio, they actually have a position there, but it's not like that person can manage it alone, because as you know, it's hard enough to manage the security of one company, let alone 200. So we're working with them to help do that. For the smaller ones, they don't have that person who's in house, so we might be working with an operating partner, or even a member of the deal team, who as their side or one of their side jobs, has been tasked with thinking about security for the portfolio.

Jake Bernstein: Yep. Super interesting. Kip, what questions do you have? I mean, this has got to be a lot of new stuff for you. We haven't talked about it that much, and I can see you furiously scribbling.

Kip Boyle: Yeah, so honestly, I have more questions than time will allow, and so I'm feeling nervous about opening up a can of questions here, when we might not be able to finish that. I want to just acknowledge we're like 37 minutes into the episode, and I just want to respect our audience's time. We've received plenty of feedback that they want us to be in the 30 to 40 minute range. Yeah. Anyway, so appreciate the prompt.

Brian Levine: Maybe I could close, maybe I could close with some words of advice.

Kip Boyle: Please do.

Jake Bernstein: Yes, let's do that.

Brian Levine: So what I would say is, anybody in the transaction space or private equity space these days, has to think about security. And that includes not just private equity, but anyone making large investments, whether they're minority, whether they're small investments, whether they're billion dollar investments or million dollar investments, there's different ways it can be right sized for your particular investment. And the other side of this is, if you're putting yourself up for sale, if you're exiting, whether that's through an IPO, or whether you're going to put yourself up for sale for a merger, for an acquisition, sell-side diligence is becoming increasingly important, because you don't want a jerk like me to come in and reduce your acquisition price by $1 billion, because every transaction now is going to be reviewed and assessed from a security standpoint. So just like staging a house for sale, and I can talk about that, because I fell for a staged house.

I've only bought one house, it was staged, it looked very large when we visited it, but it turns out the furniture they had in it was dollhouse furniture. So when we actually moved into the house, we realized the house was a lot smaller. Luckily you don't know me in person, but luckily my wife and I are also dollhouse sized, so it was still big enough for us, but for most people it probably wouldn't have been okay. So you want to stage your company for sale from a cybersecurity and data privacy standpoint, and we help companies with that too. So wherever you are in the transaction lifecycle, we can help. And the last thing I want to say is, I'm very active on LinkedIn, Brian Levine, Cyber Law or Brian Levine EY. I post every single week with original thought leadership and would love to continue the discussion with everybody over LinkedIn.

Kip Boyle: That is wonderful. I really appreciate parting thoughts, Brian, and particularly your mention about buying a house as being a conceptual way to think about how these firms are buying and selling other companies, and the kinds of diligence that you need to do before you actually put your money down on the countertop. Thank you very much. Okay, so really appreciate you being our guest. And Jake, any last words before we wrap up?

Jake Bernstein: Yeah, but not that I can complete in the allotted time, so we'll have to revisit this topic again on the podcast, it's super important. I think what I will wrap up with is, just to note that this has rapidly evolved. As Brian said, five years ago, it was uncommon to even do privacy and cybersecurity due diligence in a deal. And then I think I've mentioned it before, but I've only been in this space for not quite three years. And I can tell you in the time period that I've been dealing with it, even within that shorter time, I've seen data privacy and security go from being sort of an afterthought, or get tucked into the intellectual property section, of either the deal paperwork or the due diligence. And now more often than not, I get my own section of the purchase agreement, however it might be structured, whether it's a merger or even an asset purchase, or an equity purchase agreement, there is a whole section there for data security and privacy, and that is a shift, there's no doubt, and it's never going back the other direction. So this is the reality that we live with.

Kip Boyle: All right, so the world has changed, we've adapted, we'll continue to do that. That's a really big theme of this podcast, no matter which episode we're doing. But let me wrap it up. That does wrap up this episode of the Cyber Risk Management Podcast, and today we talked about cybersecurity and data privacy in the company, mergers and acquisitions space. We did that with our excellent guest, Brian Levine. Thank you, Brian for being here, and we'll see you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle, that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.