M&A Due Diligence and Portfolio Oversight: Minimizing Cyber and Privacy Risks During the Deal Lifecycle


Chad Neale

Publish Date




  • Cybersecurity
  • Portfolio Company Risk Management

With data breaches, social engineering attacks, extortion, hacking, and other cyber threats on the rise, it’s become increasingly vital for private equity firms to manage their firm’s cyber and data privacy risks as well as those of their prospective and current portfolio companies.

In our recent webcast, M&A Diligence and Portfolio Oversight: Identifying Cyber and Data Privacy Risks, Raj Bakhru, Partner at ACA Aponix, and I discussed troubling statistics and trends that affect portfolio companies, as well as increasing regulatory oversight and steps private equity firms can take to protect their investments. If cyber and data privacy risks are not identified and mitigated, financial loss and reputational damage can occur.

Regulatory Oversight of Mergers and Acquisitions is Increasing

The U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) is increasing its focus on portfolio companies and how private equity firms are acquiring them. The SEC announced their focus on M&A in their 2019 cyber examination priorities and reiterated this focus at the 2019 Mutual Fund and Investment Management Conference.

Since data privacy regulations including the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) also apply to portfolio companies, it’s important for private equity firms to ensure their your portfolio companies meet regulatory requirements in order to avoid substantial fines.

Best Practices for Managing Portfolio Company Cyber and Data Privacy Risks

Here are steps that private equity firms should consider during the pre-deal, post-deal, and exit readiness phase:

Pre-Deal Diligence

  • Assess cyber and technology risks to avoid purchasing cyber liabilities
  • Assess data privacy compliance risks (e.g., HIPAA, PCI, GDPR, CCPA)
  • Conduct documentation reviews (policies, penetration testing reports, risk assessments, etc.), interview staff responsible for security, and assess maturity levels
  • Perform independent testing – don’t take portfolio companies at their word
  • Assess critical infrastructure
  • Assess proprietary software
  • Identify who is truly responsible for cybersecurity
  • Assess past breaches and impacts

Post-Deal Diligence

  • Perform ongoing cyber maturity sweep discussions that result in a portfolio company risk matrix, risk rankings, further conversations, and appropriate actions to address risks
  • Get buy-in from the board of directors and educate them on the importance of cybersecurity
  • Purchase cybersecurity insurance – discounts may be available for diligence efforts

Exit Readiness

  • Uncover issues before potential buyers do
  • Conduct mock due diligence for cybersecurity to identify risks and avoid embarrassments or penalties

To protect your investments at every stage of the investment lifecycle, it’s important to take cyber and data privacy risks into consideration. No portfolio company, no matter how big or small, is immune from attack. Be thorough in your pre-deal cyber, IT, and data privacy diligence and ensure it’s a continuing focus point during the post-deal phase. When considering exit readiness, maintain healthy cybersecurity to attract buyers.

ACA Aponix M&A Diligence Resources

The following ACA resources are available to help you navigate the complexities of M&A diligence and portfolio oversight:

How ACA Aponix Can Help

ACA's mergers and acquisitions (M&A) due diligence service offers pre-deal IT, cybersecurity, and privacy regulatory diligence of prospective portfolio companies to help investors determine cybersecurity risks at the onset, negotiate better deals, and align risks with the investment thesis. Our team of experienced technology, compliance, and risk professionals uses a business-oriented methodology to determine how the portfolio company’s potential aligns with the investment thesis, and provide the strategic roadmap and cost savings estimates required to achieve the investor’s objective during the hold.

For more information, contact [email protected] or your ACA consultant.

About the Author

Chad Neale, ISO, GCFE, is a Managing Director overseeing ACA Aponix’s IT, cyber, and transaction advisory practice. Prior to joining ACA, Chad served as the Cybersecurity and Privacy Director for PwC's Risk Assurance practice. In that role, he led various teams responsible for performing cybersecurity, privacy risk, maturity assessments, and attack and penetration testing for clients operating in a variety of industries including healthcare, financial services, technology, retail, aerospace and energy. Chad was also instrumental in developing PwC’s approach to delivering cybersecurity maturity assessments and establishing an offshore center of excellence.

Chad has over 20 years of experience in information security, privacy risk management, IT engineering and administration, and compliance readiness. Chad earned his Bachelor of Science in Electrical Engineering from the University of California, San Diego and holds several certifications including ISO27001:2013 Auditor, GSLC, GCCC and GCFE.