Renewable energy and generative AI are two recent hot spots for private equity investment, but those sectors come with unique cybersecurity risks that might surprise dealmakers. Kenny Boyce, CEO of Third Party Cyber Security, joins the podcast to discuss the cyber threats that crop up across every stage of a deal’s life cycle, sector-specific cybersecurity challenges and how investors can mitigate those risks.
Middle Market Growth: Welcome to the Middle Market Growth Conversations podcast, I’m Carolyn Vallejo. Renewable energy M&A has been a hot topic in recent years, with S&P Global Market Intelligence predicting that 2024 will be a banner year for private equity clean energy and renewables dealmaking. Here with me to talk about the surprising cybersecurity risks investors need to consider in that space is Kenny Boyce, CEO of Third Party Cybersecurity, or TPCS. Kenny, welcome to the podcast.
Kenny Boyce: Thank you, Carolyn. It’s a pleasure to be here.
MMG: How about you kick of us off by sharing a little bit about your background and your current work with TPCS?
KB: Certainly. So TPCS was set up with two main goals to support our private capital customers. Those two goals were to ensure that our customers are aware of the cybersecurity risks that are presented within potential portfolio companies and also to ensure that post-deal, any investment doesn’t degrade because of poor cybersecurity within the portfolio companies. And so from a pre-deal perspective, we like to ensure that we manage and assess the cybersecurity risk within a portfolio company. We then try to map that, at all times, to an exposure risk that presents to our customers. That may be venture capital, private equity or indeed M&A.
And then finally, our third pillar of that pre-deal due diligence is to understand the cybersecurity risk and how that may affect deal economics. An example of that may be a really serious cybersecurity risk, meaning that our customers, a private equity firm, may be taking on additional risk within the deal and may want to restructure the deal economics to reflect that additional risk that they take. And from a post-deal perspective, we work with the portfolio companies to ensure that when it comes to exit, they have the ability to demonstrate to potential buyers or further fundraisings that they take cybersecurity really seriously and they have a documented and consistent approach to cybersecurity.
MMG: Cybersecurity definitely is becoming more top of mind for dealmakers and is a factor dealmakers need to consider throughout the entire deal life cycle, as you just mentioned, from sourcing and due diligence through exit. However, when it comes to cybersecurity in the renewable energy space, that’s a bit more surprising and maybe it’s not an industry where dealmakers are going to really think that cybersecurity should be top of mind. In today’s market, renewable energy has been attracting a lot of attention from investors—could you talk a little bit about the cybersecurity concerns in this sector that investors maybe aren’t really aware of?
KB: Renewables as a value proposition for our customers is a really strong proposition. When we carry out cybersecurity due diligence, if you think about some of the other sectors across the economy, you have finance, you have tech, you have health and fitness, you have hospitality. A lot of the cybersecurity due diligence that we do there is based on desktops, laptops, storage servers, databases, all the sort of standard stuff that I think we all understand cybersecurity can be applicable to.
Related content: Water and Electricity Are a Safe Mix in Infrastructure PE Portfolios
However, when it comes to renewables, the creation, the storage and the transportation of energy requires operational technology, and these are large control systems that manage physical processes. So that could be venting poisonous gases before there’s some sort of tension within the system; it could be opening pipelines to make sure that the oil and gas flows in the correct manner. So those systems themselves can be highly susceptible to cybersecurity [risks].
The consequences of a cybersecurity incident within a renewable space, again, where you are creating, storing and transporting energy is entirely different from other sectors within the economy. If, for example, a finance company has a cybersecurity incident, that’s of course never a good thing, but you could be talking about loss of data, you could be talking about a ransomware attack, and although that’s a very negative thing to happen, it won’t affect and have the same impact.
The consequences of a cybersecurity incident within a renewable space, again, where you are creating, storing and transporting energy is entirely different from other sectors within the economy.
Kenny Boyce
Third Party Cyber Security
MMG: Are there any types of businesses or niches within this space that are more prone to some high-risk factors? Can you share with us any examples of a time a cyber attack or any cyber risks have actually killed a deal?
KB: Yes, absolutely. I think to be honest, in terms of the type of threats that we see, it’s generally to startup companies and companies that are small to medium enterprises. If you think about the energy economy, you immediately think of household names around oil and gas, super majors or large energy companies.
But because of the value proposition of investing in renewables, here at TCPS we are seeing lots and lots of startups getting involved in the creation, storage and transportation of energy and with that comes risks in itself. One particular deal that we worked on, and it’s quite an apparent one to me, was that there was a startup company who wanted to receive significant funding because they wanted to design a biofuels plant and they wanted to take that funding to build the plant itself.
So when we as TCPS went in and started to understand and do some cyber due diligence, it became very, very apparent that they had never considered cybersecurity before and when it comes to things like biofuels and sustainable air fuels, the risk to health and safety or of environmental issue is really high and the risk of a cybersecurity incident being the cause of that loss of primary containment meant that cybersecurity due diligence had uncovered a real lack of understanding as to the requirements for operational technology and cybersecurity so that the deal went no further and that was one of the major red flags.
So I guess to answer your questions, generally we see new businesses desperate to get into the race to net zero, and thank goodness they do because that’s what we need to see, but with very little understanding in some occasions of the risks of poor cybersecurity within renewables.
MMG: As you just mentioned, due diligence is critical in the dealmaking phase, particularly when it comes to mitigating some of these cybersecurity risks and actually understanding what those risks are. So what should the due diligence process look like for these investors that are interested in a space that is related to renewable energy?
KB: So I think there are a number of activities within the due diligence area that we would always recommend. I think the first one is always digital reconnaissance and that’s something that provides and paints a picture of any business’s digital landscape, including operational technology. I think it’s very important that digital reconnaissance is understood. I think, and I’m probably getting into the realms of James Bond and such like here, but cyber open source intelligence is really, really important.
So that is information that is available to anyone in the world on the internet. But if you know how to go about it finding it out, you can map the cybersecurity threats that a company is facing and they may not know about. So that is an important part, looking at the external cybersecurity posture of any company. I think then when you move into a phase of starting to work with the company, because those two examples I gave, you can do remotely without any company even knowing; they’re relatively passive activities.
But I think when you move into starting to work with the companies, you want to be able to look at the documented artifacts that show their cybersecurity posture, their cybersecurity ways of working. You want to be able, importantly, to test those policies. Let’s be honest, downloading any sort of document that includes cybersecurity policies from the internet is reasonably easy to do, so when you’re doing due diligence it’s vitally important to test those documents to make sure they are embedded, they are socialized and they are followed.
And then I think it’s also very, very important to carry out workshops and interviews with members of staff who are responsible for the systems that are under due diligence. I think that’s key to make sure that you get that understanding and members of staff are generally quite open and willing to talk to third parties because some things they like to demonstrate and it’s a wonderful thing that they have identified some risks that they would consider important. And it’s always a good way of understanding those cybersecurity risks.
So I think the due diligence process has a number of activities within it, but those are the ones that I would certainly recommend that any investee, any private equity or venture capital firm make sure forms a core component of their overall due diligence.
MMG: Now, how do you suggest companies protect their interests contractually during the deal phase?
KB: That’s a really good question. During the deal phase, and this is something we at TPCS have been working through because we have different types of customers—if you work within venture capital and private equity, then it’s generally a minority stake that you take within the business. Therefore, it can be difficult to influence change because your voice is a little bit less influential than if you were for example an M&A organization that is taking full control of an organization. So we would always recommend that following due diligence, if you are an M&A company, then you build specific protections into the sales and purchase agreement, so that’s known as the SPA.
However, if you are a venture capital firm or private equity and you’re not going to be owning the company, you would sign a shareholder agreement. And that shareholder agreement is where you can place investment conditions and activities that you want to see that portfolio company following and doing over the course of that investment, because if you miss the opportunity and the shareholder agreement is signed without those requirements, then you literally are left trying to influence through goodwill and persuasion rather than having a legal position to fall back on. So we would always recommend that scenario and those contractual documents include cybersecurity provisions.
MMG: Another dominant trend for investors today is generative AI and artificial intelligence in general. A lot of dealmakers are hoping that its applications can increase both the profitability of portfolio companies as well as the efficiency of the M&A process itself. Talk to us about some of the major risks that you’ve observed around AI in this area.
KB: Certainly. I think one of the biggest risks currently is an assumption that if a product is based on AI that it’s secure. That is a growing assumption that the industry seems to be leaning on and I think that’s a dangerous path to follow. AI is incredibly intelligent, as the name would suggest, and it will make a huge difference to people’s lives, but it’s not yet clever enough to defend itself and to protect itself. That’s dependent on the people that build it, and one of the trends we’re seeing is that the functionality and the overall product itself is given massive importance—and rightly so, it’s the product and you want people to buy into that product and for any investment into that product to be successful.
Related content: The Interconnected Ecosystem of Environmental, Power and Infrastructure Services
But without cybersecurity in place, the inputs and the data that every AI machine is trained on may not be accurate, and the worst-case scenario for any AI product is to have inaccurate data and inaccurate responses to people’s questions and processes. And the way that that happens and can happen is that cybersecurity isn’t built in from the beginning. Therefore, the data that the AI machine is trained on is inaccurate, leading to inaccurate outputs, which would kill any investment in an AI machine. So we are very keen to ensure that assumption that people wrongly make is something that is explored and debunked because we really see that as something that’s growing and that’s a concern.
I think the second part to it is that if you are an AI company and you have a wonderful product that’s going to hopefully change people’s lives and better society and the investors who have invested in that are going to realize a great return, is that the business behind that product is secure as well. So the people who support the product, the people who take it to market, who advertise it, all the business functions you would imagine, need to be sure as well, because if the product is secure but the business behind it isn’t, then the product’s not going to remain secure. And so we see those two main areas of concern around AI as inaccurate data due to poor cybersecurity standards within the product, but also the business that takes the AI product to market being insecure means that things may end in a rather negative way for both the company and investors.
MMG: Now let’s turn to after the deal. What are some of the cyber risks specific to the post-acquisition time frame?
KB: So again, I’ll probably split that down into the two different types of acquisitions. If you’re an M&A business and you acquire an entity within its own right, then post-deal, you have to consider the integration phase because you’ve now bought a company, you’ve bought its digital landscape and you’re now legally responsible for the actions of that company. It then needs to be integrated into your environment.
So I think it’s very important that any integration plan is built from a cybersecurity perspective based on risks. What are the greatest risks that were established within due diligence? Those risks then get transported and put into a cybersecurity improvement plan for example, and so from a post-integration phase when it comes to M&A that would always be the recommendation—that it’s a risk-based approach.
Interestingly, I think from a venture capital and private equity perspective, one of the biggest trends we see, and one of the biggest risks to these relatively small companies to begin with certainly, is that every deal that is put through is advertised and you can see that on LinkedIn, you can see it on the internet and it’s generally a bit of fanfare about a $20 million investment in a new portfolio company. Now for someone who’s worked in cybersecurity for as long as I have, that could be a real trigger for threat actors to look at a company and say, well, let’s look at this company that just received a $20 million investment. So that means at the very least, there’s $20 million being put into that company.
But ultimately it must have been invested for a reason. There’s something valuable within that company. And that means that those companies, when it’s advertised that investments have been made and partnerships have been formed, it’s vital that the work identified in pre-deal due diligence is kicked off immediately because there’s no doubt in my mind that those companies immediately become a much more attractive target for the threat actors that we see out on the internet. So that’s something that I would always suggest. We’re delighted to see deals being done, but there’s no doubt that by advertising deals are done that there could be consequences to that.
MMG: We’ve talked about the risks in using AI. We’ve talked about the risks as you just mentioned in deal publicity. It’s really clear that cybersecurity risks are quite prolific in the dealmaking process within this industry. As you continue to work with private equity firms and other dealmakers, are there any other developing risks or trends that you’re seeing emerge? And how do these risks in this space differ from kind of broader cybersecurity concerns out there?
KB: One of the trends, and it’s actually a positive trend at the moment, is that we’re really seeing the legal community step up and realize the importance of cybersecurity due diligence. The reason that I mention that is because I think it answers your question in a sense as to why, and when it comes to renewables specifically which I know was an important part of today’s chat, is that there’s so much legislation, legal and regulatory requirements now being built up around renewables and indeed other sectors around the importance of cybersecurity, that the legal community is really forcing and pushing their clients, as we are, to ensure that cybersecurity is carried out. For me, cybersecurity has always been important and it’s always been something that we at TPCS are highly passionate about, and we see that passion across the industry.
But there is a real edge to this now in terms of the amount of legislation that is out there, that the U.K. governments, governments in European countries and indeed in the U.S. are setting down. For example, there is a requirement now that if you are a part of solar, so again renewables, there’s lots and lots of legislation now around cybersecurity controls that you must have to be able to operate as a solar provider within the renewables space. So from a trend perspective, I think it’s the legal community working to understand the regulations and the impacts of noncompliance to investments that are made in those companies.
MMG: Finally, my last question for you: Private equity firms might be confident in their due diligence processes on the acquisition side, but there are always blind spots. Do you think they might be missing some risks that could degrade the quality of their investment on the sell side? And can you tell us a little bit about those risks and how they can mitigate them?
KB: So that’s a really good point as well. And that’s one of the reasons that when post-deal, at some point that deal and that investment will be exited, and when it’s exited, anyone that’s going to come in and buy that stake in the company or acquire the company in full are going to be looking for assurance that their investment isn’t going to be degraded by cybersecurity.
So one of the things that I would always suggest to any portfolio company is to document what you do from a cybersecurity perspective. There are lots of companies out there that do fantastic day-to-day things. They have strong passwords, they have multi-factor authentication, they have firewalls in place. They do lots of great things, but they don’t document it. And that means when people are looking to exit or they’re looking to fundraise more, then they can’t provide that evidence to companies that are involved in the due diligence process.
When it comes to specific risks—so that would be my first point, to document and be able to have those artifacts in place—I think the second point around cyber risk is to always test your cybersecurity regularly. There are mechanisms that you can put in place to carry out like an annual penetration test where you pay a third party to try, actively but ethically, to hack into your systems. That is invaluable because you would much rather find an issue with a partner organization than someone sitting on the internet with no such moral boundaries and who would happily exploit anything that they find.
So I think you should test your systems regularly and back them up regularly to make sure that your systems are always going to be available to you and in general carry out an ongoing cybersecurity risk assessment. Keep up to date with cyber threats that are out there. They change, unfortunately for people like myself and the team at TPCS, on a daily basis and we have to react to that and so do our customers. So keep up to date on the latest threats, risk assess what they mean to you as an organization and document everything.
MMG: Great, a lot of really valuable cybersecurity insight there for renewables investors and dealmakers across sectors. Kenny Boyce with TPCS, thank you so much for joining the Conversations podcast.
KB: You’re more than welcome. Thank you.
This transcript has been edited and condensed for clarity.
The Middle Market Growth Conversations podcast is produced by the Association for Corporate Growth. To hear more interviews with middle-market influencers, subscribe to the Middle Market Growth Conversations podcast on Apple Podcasts, Spotify and Soundcloud.