Hidden M&A cyber-risks and value -  due diligence can uncover deal-breakers
Hidden M&A cyber-risks and value - due diligence can uncover deal-breakers

Corporate deal teams and Private Equity professionals are increasingly placing cyber-security diligence as a mandatory requirement in the M&A transaction lifecycle. Savvy deal makers now recognise the rewards to be gained and they are not purely about risk mitigation. CIO/CTOs and CISOs need to be ready to play an important role in deal diligence and execution. 

Capital events, which include mergers and acquisitions, are often the largest transformation event and capital investment a business will perform during any given financial lifecycle – a bit like buying, extending or moving house - it is a period of significant turmoil for businesses and their valuable assets. Depending on whether you are the acquirer or seller - your organisation family will be joining someone else's house with their culture, processes and systems.

Strategic risks 

Cyber-criminals understand this turmoil too and seek to exploit it more often than you might think – there is a marked increase in phishing attacks during M&A activity as attackers seek to catch off-guard newly appointed C-level executives, finance functions or IT teams. Attack plans are broadened as the IT systems from buyers' and sellers' networks, applications, data and suppliers are integrated - consider some of the most high-profile cyber- data breaches over the last two to three years and you will often find their genesis lies in M&A activity. 

During traditional deal diligence, business balance sheets and growth projections may look healthy.  Whereas cyber-diligence can unveil under-investment in information security, that it contains hidden vulnerabilities and has evidence of compromise – which may be of strategic importance to the deal. Would you acquire a firm if their customer data is already breached and being sold on the dark web? Or integrate a firm's infiltrated application into your core network? Such deal breakers are less common but when identified save an acquiring firm significant financial losses and brand damage.

Price chip

Whether deal teams are seeking to acquire the latest trendy technology firm or a traditional ‘bricks and mortar' business – understanding the digital-dependency to generating profits and maintaining operations is critical to deal execution and value. 

Savvy deal-makers are wakening up to the value impacts and competitive advantage to be gained from cyber – a price chip on the deal. When you consider deal values are typically calculated as a multiple of profits (actually EBITDA) deal makers seek to identify these exceptional costs or factor increased operational expenditure, such as cyber-investment needs, driving the deal price down at a multiple of the reduced EBIDTA. Informed deal teams already know the level of cyber-investment by sector and will seek a “clean bill of health” and compliance record over a sustained period prior to the deal – otherwise expect a price chip negotiation.

Shining a light on cyber-risks

Cyber-diligence must operate at transaction pace, joining the dots between the business operating model and the technology to identify cyber-risks and deal impacts. Often working early in the deal lifecycle with limited information. 

In theory you could wait until the deal is completed, at which point a buyer can perform full security tests on newly acquired IT systems and applications, but this is the digital equivalent of trying to crack open the bank vault after you have bought the bank. 

There is no one-size-fits-all approach for cyber-diligence because each business operating model is different. But CIO/CTOs and CISOs need to be ready with the latest cyber-risks and how these affect operations, assets and regulations in the target business and the impact on deal value.

You may want to consider or be ready to answer the following questions depending on which side of the deal you are operating:

How does your business generate operating profits and revenues? What is the key intellectual property and data assets?

What level of dependency does the business have on IT systems and data to operate? What are the key systems?

What would be the value impact of a breach on key processes or information assets?

Has the business been compromised or at risk of compromise over the last 12 months?

Does the business have adequate cyber-governance – for example does the board frequently receive and act upon active cyber-metrics and reporting?

What level of oversight is there on third-party suppliers – for example IT managed service providers and cloud services?

What level of cyber-security investment has been made in the last two to three years and forecast next year?

Asking the right questions is important, but the specialist techniques and skills for performing cyber-diligence is evolving rapidly to leverage other sources of information such as dark web and digital footprint information. Money talks and M&A teams cannot afford to get it wrong. 

CIOs / CTOs and CISOs have an opportunity to embrace their role in deal execution and become the catalyst for businesses to address cyber-risks leveraging transaction value. Capital events can drive a positive ripple-effect across businesses and our economy where perhaps many cyber-industry standards and regulations have failed. 

Contributed by Ian McCaw, transactions cyber team leader, EY

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.