Why Private Equity Firms Face Heightened Risk of Ransomware Attacks

Cybercriminals have stepped up ransomware attacks against the financial services industry, and mergers and acquisitions have become entry points for bad actors trying to infiltrate private equity firms and their portfolio companies.¹

Financial services firms are considered more vulnerable to a cyberattack than other companies and are at greater risk of a ransomware attack.

In most cases, organizations have little recourse but to pay the ransom. Higher ransom demands and payouts have resulted, with the average ransomware payout for a midsize company currently averaging more than $1 million. In 2021, the average cost of a data breach (not including ransom) was more than $9 million in the U.S. and $5.4 million in Canada.²

PE firms’ companies are targets

Bad actors see PE firms as particularly vulnerable — and lucrative — targets as cybercriminals shift their focus from large corporations to small and medium-sized entities, which typically make up a private equity portfolio.³

Ransomware takes a heavy toll on small and medium-sized business in particular: Bad actors encrypt a company’s data and make it impossible for the company to access their systems — and continue normal operations — without a sizeable payoff.

In addition, cybercriminals are will exfiltrate confidential employee and customer information to extort companies. Cyber insurance can help lessen the pain but can be expensive and may not cover the entirety of the ransom demand.

Why PE firms are particularly at risk

Here’s three factors that put private equity firms at higher risk for ransomware attacks:

1. Their portfolio companies are vulnerable: Small and medium-sized companies may not have adequate cybersecurity protection in place to protect against ransomware attacks, making them an easy entry point for bad actors. And as lawyers, financial institutions and third-party vendors are also involved with PE deals, hackers have additional access routes to company networks.

2. PE firms deal with sensitive information: During due diligence, PE firms and the companies they acquire exchange large amounts of information such as financial records, personnel data and proprietary company data. Cybercriminals know this and monitor deal announcements of small and medium-sized companies because of their cybersecurity vulnerabilities and the potential for easily accessing critical data. Once a company is acquired, the deep pockets of the PE firm makes the acquired entity a bigger target for ransomware.

3. They often face enormous time pressures: Private equity firms are often under pressure to close a deal quickly. That can result in managers overlooking certain exposures, including a target company’s cybersecurity. For instance, a PE firm in a rush to close a deal may forego requiring companies being acquired to implement proper cyber controls. By waiting to address cyber exposures once a company is part of its portfolio, a PE firm can put the other companies within its portfolio at risk.

Pre- and post-acquisition cyber risk management across the portfolio has become an essential aspect of protecting equity and creating value. As the ransomware threat landscape grows in both prevalence and sophistication, private equity firms cannot shirk on cyber due diligence: Otherwise, potential acquisitions can create more problems than they are worth.

Contact HUB International’s Private Equity experts and Cybersecurity specialists for more information on how your PE firm can manage risk.

¹ FBI: Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims, November 1, 2021.
² IBM, Cost of a Data Breach 2021, July 2021.
³ Wall Street Journal, “Ransomware Attackers Begin to Eye Midmarket Acquisition Targets,” March 1, 2022.