Should Private Investors Be Running Our Cybersecurity?

Published on

The need and demand for greater cybersecurity has increased exponentially in recent years, as everyone from high-profile corporations and governments to unsuspecting home computer users have fallen victim to hacks. Given this demand, it should come as no surprise that private investors are lining up to acquire cybersecurity firms and take advantage of the potential for big profits.

Get The Full Henry Singleton Series in PDF

Get the entire 4-part series on Henry Singleton in PDF. Save it to your desktop, read it on your tablet, or email to your colleagues

Q3 2021 hedge fund letters, conferences and more

But with some of the nation’s largest private equity firms, including Blackstone, Silver Lake, and Thoma Bravo, holding major stakes in cybersecurity software firms, questions abound over what impact they will have on the operations of their acquisitions.

Private Equity Investing In Cybersecurity Firms

Industry insiders and cyber security experts have expressed concerns that unsophisticated private equity investors, in a drive for profits, could potentially compromise both our business communities' and our government’s cyberdefense by taking a knife to the budgets that help ensure the data they protect are in fact protected.

Case in point: Thoma Bravo’s and Silver Lake’s $4.5 billion acquisition of SolarWinds, which is the subject of litigation and federal scrutiny following a nationally publicized data breach in 2020 that impacted agencies ranging from the Treasury Department to the Justice Department. In response, last week, a set of pension funds sued SolarWinds, Thoma Bravo, and Silver Lake for contributing to the security failures, arguing that they were gutting SolarWinds of the staff and resources needed to provide a reliable product and they knew they were gutting it.

The acquisition of SolarWinds by private equity underscores the problem, especially at a time when private equity firms have set their sights on other strategically important software companies. The private equity industry has a reputation for aggressive cost-cutting to turn around troubled companies, which can work well if there is capable, experienced leadership in charge. But reckless, indiscriminate cost-cutting that sacrifices long-term safety for the sugar rush of short-term gains could prove disastrous in a field as unforgiving as data security. Given this context, it’s not unreasonable to ask whether investors like Thoma Bravo and Silver Lake have the expertise to be involved in such a critical space. Would anyone trust TD Ameritrade to tell Lockheed Martin how to build airplanes?

There are other examples, but the Thoma Bravo/Silver Lake case is one of the most egregious examples of this dynamic – at least so far. The questions around this particular transaction are particularly important given how aggressively these companies are moving into this space. Indeed, Thoma Bravo has picked up other cybersecurity companies, such as Sophos in March 2020 and Intel 471 earlier this year. While the international cybersecurity firm Sophos was growing its footprint in the US, ultimately Thoma Bravo imposed cost-cutting measures, including swift layoffs, in a move that raised concerns that Sophos itself was now vulnerable to a hack.

While it’s easy for those outside the defense sector to cluck their tongues at it, we must remember that the American defense model has kept our country – and by extension most of the world – relatively safe and stable for the last 80 years. If predatory financial tactics enter the defense industry, it threatens every industry.

So while there is a place for private equity firms in cybersecurity, they must step lightly until they know what they’re doing.