In our latest Q&A, we got in touch with Goodwin Procter partner Ilan Nissan to discuss current PE trends in cybersecurity and technology. In a wide-ranging interview, Mr. Nissan addressed the unique challenges PE firms face in keeping sensitive data secure, SEC regulatory activity, ed-tech and SaaS investment, and much more. Read the full transcript below:
Data security is a primary concern for all companies, but private equity firms may face special challenges given centralization of data and IT operations. What are other unique cybersecurity challenges PE firms face?
Private equity firms face many unique cybersecurity challenges, some of which were addressed in the SEC’s cybersecurity guidance update released in April 2015. The guidance update highlighted a number of cybersecurity issues, including controlling access to internal systems and data, ensuring adequate data encryption, protecting against the loss or exfiltration of sensitive data, and having robust incident response plans for data breaches when they occur. These issues are particularly relevant for private equity firms because of the large quantity of sensitive data they possess.
What are some key regulatory measures, apart from the SEC’s recent cybersecurity guidance, that are in the offing, and how could they affect PE firms?
A key regulatory development for the private equity industry was a speech by Marc Wyatt of the SEC in May 2015 entitled, “Private Equity: A Look Back and a Glimpse Ahead.” Wyatt’s speech emphasized that the SEC was especially concerned with three types of activity within the private equity industry: expenses and expense allocation, co-investment allocation, and regulation of real estate advisors. All three of these areas are likely to see increased SEC regulatory activity.
In June 2015, the SEC reached a record $30 million civil settlement with a prominent private equity firm that implicated two of the regulatory areas highlighted in Wyatt’s speech: expense allocation and co-investment allocation. The SEC asserted that the firm breached its fiduciary duties by misallocating, and inadequately disclosing, its “broken deal” expenses. The settlement was particularly concerned with the allocation of expenses between the firm’s limited partners and co-investors. As a response to these recent regulatory activities, it likely that private equity firms will look to strengthen their expense allocation and co-investment policies.
Google’s move of its internal corporate apps to a cloud model caused a lot of ripples. Do you think that this move, which essentially seems to be a shift toward a device-based security model, will be increasingly adopted?
Google’s decision to move its internal corporate apps to a cloud-based model was a bold step by an industry leader. The device-based security model is a reaction to the increased use of mobile devices and cloud-based applications by Google employees. Since many companies and employees will likely continue to increase their use of mobile devices and cloud-based applications, this model could be increasingly adopted in the near future.
Some regard phishing as a crucial threat to private equity firms and consequently call for more employee education on typical cyber threats. What other initiatives do you think private equity firms would do well to adopt?
Phishing is a concern for private equity firms, and the robust education of employees is the primary way to mitigate the threat. Firms can educate employees and protect their data through having mandatory training sessions, strong internal IT protections, robust compliance procedures, and by conducting live tests to see if employees can detect emails that appear fraudulent.
There’s been talk among business litigation of corporate directors and officers increasingly at risk of suits when it comes to data breaches. Do you think that similar scrutiny could begin to impact managing partners regarding portfolio companies? If so, how can private equity firms best mitigate risk?
The best way for private equity firms, and managing partners, to mitigate this risk is to have strong compliance and data security protections and procedures. Both private equity firms and their portfolio companies should have these protections as a way to mitigate any potential scrutiny.
Which particular aspects of ed-tech are you seeing the most interest in from private equity investors? In addition, private equity firms are cutting a fair amount of ed-tech deals in emerging economies, so do you foresee such investment being mainly B2C-focused or will there be an expansion to workplace training (i.e. B2B)?
Ed-tech has been an increasingly important sector for private equity firms, VC firms and other private investors. A recent report found that over $2.5B was invested into ed-tech companies during the first half of 2015. A majority of these investments were in B2C ed-tech companies. However there was also a significant, and growing, amount of capital invested in K-12 and B2B ed-tech companies.
There has been a significant amount of funding for ed-tech companies in emerging markets in recent years. In the first half of 2015 there were 13 ed-tech companies that obtained over $50 million in funding, nine of which were located in emerging markets. Eight of the companies were based in China and one was based in Brazil. Given the overall industry trend towards increased investment in B2B ed-tech companies, it is likely that this pattern will also be seen in emerging markets.
SaaS has been a buzzword for some time now, even as private equity investment in the space has grown apace. What developments do you forecast for private equity investment, and the space as a whole?
Private equity firms have invested significant amounts of capital in the enterprise software sector over the last few years. Buyouts of larger enterprise software companies such as Informatica Corp., Tibco Software Inc., and Riverbed Technology Inc., demonstrate private equity firm’s desire for SaaS deals. There were also 53 middle-market software deals in 2014, with a median investment of $100 million. Given the availability of low-cost capital, and the strong underlying financials and recurring revenue of many SaaS companies, there will likely continue to be a significant amount of private equity investment in this sector.
Looking more specifically at trends in private equity software deal making, how heated is the market? Do you think expectations of software synergies are too optimistic right now to justify current multiples?
The valuations for certain software companies have reached multiples of 13 to 15, which is on the higher end historically. However, there are still a large number of software companies that justify robust valuations based on their growth rates and addressable markets. For example, FinTech and Healthcare are two software sectors that appear to provide strong investment opportunities for private equity firms. In addition, enterprise software companies with recurring revenue models can be attractive investments for private equity funds due to their strong cash flow and sticky customer bases.
A partner at international law firm Goodwin Procter, Ilan Nissan is a senior advisor to private equity, venture capital and hedge funds, as well as alternative asset managers and their portfolio companies in a wide array of transactions and strategic matters.
Want to read more interviews on the PE, VC and M&A landscapes? Click here for an archive of our previous Q&As with industry professionals.