Rep. Higgins presses witnesses on risk when equity firms buy small infrastructure firms and drop cybersecurity
Get AI-powered insights, summaries, and transcripts
Subscribe
Summary
Rep. Clay Higgins asked industry witnesses whether the common private-equity practice of buying small infrastructure firms and cutting cybersecurity contracts poses long-term national security risks; witnesses agreed it creates significant vulnerabilities that can be exploited by threat actors.
Representative Clay Higgins told the House Homeland Security Subcommittee he is investigating reports that equity firms buying small companies connected to critical infrastructure sometimes eliminate cybersecurity protections, creating windows of vulnerability that could be exploited by foreign or criminal actors.
Higgins described the pattern he said he has observed: firms purchase smaller companies in sectors such as energy, finance, transportation and supply chain, and some new owners reportedly “eliminate the cybersecurity contracts of those companies.” He asked witnesses whether the loss of protections for weeks or months after an acquisition could have irreversible impacts on critical infrastructure.
Steve Fale of Microsoft replied that removing cybersecurity protections from companies tied to critical sectors is “absolutely…a problem” and indicative of a broader inattention to cybersecurity among smaller firms. Kiran Chinnagongon Nagari of Securin echoed the concern, saying “there's a huge security risk by having these type of protections taken away from small businesses when they're either acquired or merged with other companies,” and that such companies can provide an “attack vector” to reach critical-sector customers, including government.
Witnesses did not propose specific statutory remedies during the hearing. Members asked for written follow-up and emphasized the need for better oversight and support for small firms that are part of critical supply chains. The committee did not take formal action during the session.