Cyber security intrinsic to safeguarding returns

Edward Snowden's revelations of global internet and communications surveillance conducted by the NSA propelled cyber security onto a supranational stage; the Heartbleed bug dragged it back down into the everyday. The World Economic Forum estimates that failure to address the increasing threat of cyber security could cost the global economy $3tn by 2020. Cyber security has become a defining threat of the modern era.

And the corporate finance industry is taking note. "This is not a new problem, but it has come to prominence recently," says David Petrie, head of the corporate finance faculty at the Institute of Chartered Accountants in England and Wales (ICAEW). "But in the earlier days, it was difficult to find examples where companies were prepared to go on record and admit that their security had been compromised to the extent that it had damaged their businesses, for very obvious reasons."

But one business did not manage to escape the limelight: Canadian telecoms firm Nortel was widely reported to have fallen prey to the efforts of China-based hackers. The attack is thought to have spanned more than a decade, allowing hackers to download R&D information, technical papers and business plans using passwords stolen from top execs. Though the breach was discovered in 2004, it was not thought to have been addressed in its entirety. In 2009, Nortel went into liquidation, selling off part of its assets without making full disclosure regarding the security breach. Avaya and Genband acquired part of the business, with some employees continuing to use Nortel computers, leaving the hacked in-roads open.

"We're seeing GPs consider cyber security more and more. It started in the hosting space; we worked on the MDMX and Easynet tie-up for Equistone, for example," says Iain Mackay, technical director at Intuitus, an IT and technology adviser to the private equity industry. "We're now seeing more technology due diligence engagements, and part of that involves scoping out what our clients should be looking at in terms of cyber security weaknesses. As the world has moved over to cloud services we are recommending that security is an integral part of due diligence because there are so many implications from cloud services."

Despite the dangers, less than half of financial services companies surveyed carry out third party audits of prospective cloud providers prior to procurement, according to research from information assurance firm NCC Group. More than 60% of respondents revealed they do not have contractual protection should the cloud provider fail – potentially risking access to sensitive data and software. And regardless of the fact that cloud services could precipitate a data-breach, around 80% of respondents intend to adopt further cloud services in the coming year.

Precipitating attack
But the cloud is not the only development that has driven the potential for cyber-attacks on corporates. "The first change that saw absolute control effectively taken away from centralised IT departments was driven by the mobile marketplace," says MacKay. "Five years ago, it was driven by Blackberries – they were incredibly secure because you had a centralised server running everything; you had absolute control from an IT management perspective. The business adoption of the iPhone and Android Smartphones was a game-changer. Suddenly your standard mobile phone can do everything that a Blackberry could do; everyone buys their own phone and expects it to connect to the corporate network, and IT departments no longer have the same level of control."

Add to that the number of personal computing devices entering the workplace and the rise of flexible working, particularly in smaller companies – often private equity targets – that cannot provide tech infrastructure to support remote working, relying instead on employees to use their own equipment, and a host of new challenges appear.

Another great question mark remains around data storage. While servers used to be found on-site in the computer room, a company's data could be stored anywhere across the globe. And just how secure is access? "Tying in all these strands is identification and authentication; how do you really know who is connecting to your company systems? Are competitors accessing your data? Or are people stealing your data and doing malicious things, taking your clients' identities, products, services or IP?" says Mackay.

Given the potential impact on corporate value, the threats for private equity are very real. "On day one of any transaction, private equity players are eyeing an exit – that's one thing they are crystal clear about; they know what the end game is and how they want it to turn out. Intellectual property walking out the door is an area that could totally derail a transaction, or the value of the transaction," says Martin Tyley, partner at KPMG and head of the cyber security practice in the UK regions.

IP addressed
Backing smaller businesses with unique, innovative technologies is the asset class's bread and butter. Indeed, competitive and economic advantage is often derived from long-term investment. Intellectual property must therefore be safeguarded or companies risk unwittingly sharing the secrets of success with a competitor, reducing returns for private equity backers. With so many parties privy to sensitive information such as commercial data, intellectual property and client information – not to mention pricing in a private equity transaction, including audit, due diligence and legal professionals – one weak link could corrupt the entire chain. And professionals across the industry, from private equity firms to associations, are waking up to the dangers.

Earlier this year, the ICAEW joined the Cyber-security Information Sharing Partnership, set up by the Cabinet Office as part of the government's campaign to make UK businesses safer in cyberspace in partnership with GCHQ and the National Crime Agency. "The NSA has not done what GCHQ and the Cabinet Office did in terms of reaching out to the finance-raising and banking community, saying something needs to be done. What we have done in the UK is unparalleled. The ICAEW has sent copies of the faculty's Cyber Security in Corporate Finance to various agencies and regulatory bodies in the US," says Petrie.

The representative body for European finance markets recently recommended its members include a review of cyber security on the due diligence checklist. Will private equity follow suit, giving cyber security issues the attention they deserve? According to a survey carried out by PwC and the Confederation of British Industry, 76% of investment managers intend to boost spending to combat cyber security threats in the next 12 months. "The issue is growing in prominence," says Mackay. "I think the investors that concentrate on tech investments understand it. But perhaps with investors that invest in more traditional organisations the whole thing isn't such a great concern of theirs in terms of security leakage and potential loss of valuation. But it should be." Industry consciousness may have awoken, but will it react quickly enough?

• Tweet  
• Facebook  
• LinkedIn  
• Google plus  
• Send to  

• Topics
• Technology
• Industry
• Top story
• KPMG