Private Equity's cyber due diligence

Cybersecurity, as defined under the EU’s General Data Protection Regulation (GDPR) and similar laws in other jurisdictions, entails the preservation of confidentiality, integrity and availability of information through the digital medium. 

The frequency of breaches that compromise the cybersecurity of an information network, or of the data held therein, is rising at an alarming rate: the number of reported incidents has increased from less than 500 in 2004 to over 10,000 by 2023 globally.  Since reporting is not mandatory across the board, these figures are, at best, directional. 

The rise in the number of breaches and cyber incidents is due to multiple factors: notably, growing technological dependences across sectors (including critical infrastructure such as hospitals and transport); increase in remote-working post-pandemic; and the use of cyberspace as a theatre for geopolitical rivalries (especially between Western states and their adversaries in Russia, China, Iran and North Korea). 

The commercial, legal and reputational cost of such breaches and incidents is also intensifying. The IMF reported earlier this year that cyber incidents caused damages worth between 1% to 10% of world GDP  as of last year in direct and indirect aggregate damages. As new technologies such as AI are integrated into complex information supply chains, the global data economy expands, and the barriers to the misuse of technology fall, the frequency, cost and sophistication of cyberattacks will continue to escalate over coming years.

Faced with this threat landscape, investors, like other commercial and non-commercial entities, are paying increasing attention to the cyber resilience of their own operations and of their portfolio companies. And this evaluation is not limited to the pre-transaction due diligence phase: rather, it is being extended -- as it must -- to the entire deal cycle. 

Read more: North East: M&A Technology Sector Snapshot - H1 2024 - RG - Accountants & Business Advisors