Data Security Compliance ROI — What PE Investors Need to Know

At a glance:

• Compliance costs are relative to revenue: The cost of compliance reporting rises and falls across the four stages of business maturity relative to revenue.
• Early compliance increases ROI: Establishing efficient compliance programs early lowers cyber risks, decreases cost-per-new-client acquisition, and increases margin and return on investment (ROI) over time.
• Compliance is a cost of doing business: Private equity (PE) firms need to consider the costs of privacy and security programs and compliance reporting in their projections for ROI. Managing risk requires an understanding of the policies and procedures that should be in place at the prospect’s growth stage. To assess a prospect or portfolio company’s compliance maturity, risk profile, and the cost of compliance over time, click here to contact an Aprio advisor.

The full story:

According to a recent Gartner Report, the worldwide information security market is expected to reach $170.4 billion in 2022. Data privacy and security compliance cost money. If the appropriate compliance programs are not in place, investors and their portfolio companies face significant risk that can negatively impact valuations and jeopardize ROI.

PE firms need to consider the cost of privacy and security programs and compliance reporting in their projections for ROI.

Relative costs

The big question for investors is: how much will security and compliance cost over the term of the investment? Unfortunately, there is no rule-of-thumb formula for determining data security program costs. Every business will have unique inherent risks and vendor pricing models can vary significantly. However, on average, the cost of compliance rises and falls across growth stages and is generally relative to revenue.

You can view business maturity in four stages:

1. Early Stage
2. Positioned for Growth
3. High Growth
4. Mature Growth

The costs of implementing controls and processes, maintaining compliance reporting and adding staff increase in Growth Stages 2 and 3, and those costs decrease with maturity in Growth Stage 4, as security becomes woven into the business.

When considering the cost of data security, it’s imperative for buyers to assess the acquisition’s growth stage, understand the risks associated with the business, and determine if the right policies, procedures and governance are in place for the maturity of the business. These factors provide a starting point to determine the level of effort and potential costs associated with advancing and maintaining compliance programs.

Here is a breakdown of what should be happening at each stage of development.

Stage 1: Early-stage Compliance

Regardless of the industry sector, relevant compliance standards, reporting or certifications that are applicable to the business, the ability to demonstrate compliance is essential to growth. No compliance, no growth.

Early-stage companies often lack standardized business agreements and have incomplete (or no) security policies or procedures. With no compliance framework in place, they will struggle to efficiently respond to RFPs or client data security inquiries. The first step in the journey to compliance is to get a risk assessment from a qualified independent data security provider, like Aprio.

A risk assessment identifies the business’s exposure related to the inherent data flows and points of access in its business model and will identify any control gaps or vulnerabilities.

Although security and compliance costs are lower relative to revenue at this stage, the risks are higher, which can have a negative impact on valuation and long-term profitability. A breach can decimate an early-stage growth company. The cost alone can wipe out a 10-employee startup, not to mention have a negative impact on the business’s reputation. The sooner compliance programs are in place, the lower the risk of a breach.

Level 2: Positioned for Growth

Companies that are positioned for growth should have standard business agreements and have performed risk assessments that meet the fundamentals of all relevant compliance frameworks. Executive leadership should have identified the need for risk management, and the company should have compliance requirements documented in the following areas:

1. Onboarding/terminations
2. Training
3. Security
4. Incident response
5. Third-party risk
6. Other policies and procedures

Creating controls and formalizing policies and processes increases compliance costs relative to revenue at this level of maturity, but the risks of a breach and its impact on long-term value decrease.

Stage 3: High Growth

High-growth companies should have a well-defined risk management strategy and repeatable risk assessment processes in place addressing all relevant compliance standards, reporting and certifications. Companies in this stage of growth should have dedicated compliance programs and leadership should take ownership of risk management. The business should have established monitoring controls that are functioning as designed, as well as a yearly compliance monitoring program.

Having the right reporting, certifications and monitoring in place provides timely evidence to demonstrate compliance. These increased efficiencies decrease the cost of acquiring new customers and improve profit margins.

Stage 4: Mature Growth 

In mature-growth companies, board leadership should take an active role in data privacy and security governance. The business should have a defined risk management strategy that it is executing throughout the organization, and it should continuously improve the strategy over time. Leadership should have filled security and compliance roles, and internal audits should take place on a regular basis. Staff should perform security functions efficiently and through outsourced relationships, and the business should continuously monitor key controls.

At the highest level of maturity, the cost of security is woven into the business and its budgeting and forecasting processes; therefore, there is no incremental cost in taking on new customers.

The bottom line

PE firms need to realize that data privacy and security compliance must be considered as a cost of doing business and factored into budgets and projections. Understanding compliance costs and revenue potential by business stage and term of investment is an essential component in ROI forecasting and helps determine whether a business represents a good investment.

If you are considering an acquisition and need risk assessment, compliance readiness, compliance reporting or managed cybersecurity solutions, click here to contact an Aprio advisor.