How cyber-security is demonstrated to result in more valuable companies

News by Rene Millman

Cyber-security readiness can have both positive and negative affects on company valuations when assessing acquisition targets. So how do you assess cyber-capability for M&A purposes?

A new report by professional body (ISC)2 has found that 96 percent of respondents indicated that cyber-security readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target.
According to findings from the organisation’s Cybersecurity Assessments in Mergers and Acquisitions report, survey respondents unanimously agreed that cyber-security audits are not only commonplace but are now actually standard practice during M&A transaction preparation. 
Of the 96 percent of respondents who indicated that cyber-security readiness is a factor in the valuation assessment, 45 percent said a standard plus/minus value is assigned to a cyber-security programme in a pass/fail manner. 53 percent said the value that the cyber-security programme represents can range widely based on the specifics of the programme. 
The research also found that the results of such due diligence can have a tangible effect on the outcome of a deal, both in terms of overall value and even whether a deal is completed or not. 
The survey of 250 US-based professionals with mergers and acquisitions (M&A) expertise found that 77 percent of M&A experts have recommended one acquisition target over another based on the strength of a cyber-security programme, while  57 percent of survey respondents said an acquiring company they work with has been surprised to learn of an unreported data breach during the audit process. nearly half (49 percent) indicated that they had witnessed a merger or acquisition agreement fall through as a result.
The report also said that 52 percent of respondents indicated that the share value of publicly-traded clients has been negatively affected as a result of an acquired company’s post-acquisition data breach.
If a target company publicly reported a breach of customer or other critical data in its past, it detracts from the acquisition price assigned, according to 86 percent of respondents.
When looking at infrastructure associated with cyber-security programs, 95 percent of respondents indicated that it is a tangible part of the calculation of value. According to 82 percent of those surveyed, the stronger the infrastructure, including soft assets such as risk management policies and security awareness training programmes, the higher the value assessed.
Just over half (52 percent) said that if the audit reveals weak security practices, the cyber-security programme as a whole is considered a liability. 
Survey respondents foresee cyber-security playing an increasingly prominent role moving forward. While 54 percent consider cyber-security audits to be vital to the M&A process already, 42 percent believe the importance will only increase over the next two years. 
"Businesses are facing unprecedented challenges in protecting their digital infrastructure, and that of their customers, because of the sophisticated, targeted and voluminous attacks that can be launched against them at any time," said Wesley Simpson, COO, (ISC)2. 
"Our report indicates that it’s not simply whether or not a company has suffered a data breach that is most important to potential acquirers, but how the breach was remediated, and the steps taken to improve processes. Business leaders and financiers now understand that sound cyber-security practices are critical to the bottom line and having the right skilled professionals in place to implement them is a solid insurance policy against devaluation."
Tim Mackey, principal security strategist at Synopsys CyRC (Cybersecurity Research Center), told SC Media UK that  the consequences of a poor cyber-security posture have never been more severe—from breaches that result in loss of customer data and IP to regulatory fines and reputational damage. For companies involved in M&A transactions, the stakes are even higher as deal sizes and stock prices can be impacted significantly by an ill-timed security incident.
"For acquiring companies, it is critical to perform a thorough evaluation of technical and cyber-security risk factors as part of the due diligence process. Failure to do so can result in the acquiring company inheriting unreasonable technology and security debt, imminent legal or regulatory obligations, and a tarnished brand," he said.
"Specifically, the acquirer should be vetting that the target entity has well-established processes and controls in place for developing, deploying and maintaining their technology securely. They also need to ensure that the open source components used to build the technology, which typically exceed the proportion of proprietary components, are sufficiently secure, up-to-date, and free of software license conflicts or violations."
Former Vodafone CTO and current director of strategy and technology, Europe for Optiv Security, Andrzej Kawalec, told SC Media UK that to mitigate security risk from M&A, cyber-security experts should be brought into the due diligence process early, and preferably before deal value is set. 
"This is the only way the acquiring company can get a clear picture of the real and potential risks the acquisition target may introduce through its security gaps and any active intrusion, and impact to deal value. Not every security consultant has experience conducting M&A due diligence, so selecting the right partner is critically important," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews