Corporate deal teams and Private Equity professionals are increasingly placing cyber-security diligence as a mandatory requirement in the M&A transaction lifecycle. Savvy deal makers now recognise the rewards to be gained and they are not purely about risk mitigation. CIO/CTOs and CISOs need to be ready to play an important role in deal diligence and execution.
Capital events, which include mergers and acquisitions, are often the largest transformation event and capital investment a business will perform during any given financial lifecycle – a bit like buying, extending or moving house - it is a period of significant turmoil for businesses and their valuable assets. Depending on whether you are the acquirer or seller - your organisation family will be joining someone else's house with their culture, processes and systems.
During traditional deal diligence, business balance sheets and growth projections may look healthy. Whereas cyber-diligence can unveil under-investment in information security, that it contains hidden vulnerabilities and has evidence of compromise – which may be of strategic importance to the deal. Would you acquire a firm if their customer data is already breached and being sold on the dark web? Or integrate a firm's infiltrated application into your core network? Such deal breakers are less common but when identified save an acquiring firm significant financial losses and brand damage.
Whether deal teams are seeking to acquire the latest trendy technology firm or a traditional ‘bricks and mortar' business – understanding the digital-dependency to generating profits and maintaining operations is critical to deal execution and value.
Savvy deal-makers are wakening up to the value impacts and competitive advantage to be gained from cyber – a price chip on the deal. When you consider deal values are typically calculated as a multiple of profits (actually EBITDA) deal makers seek to identify these exceptional costs or factor increased operational expenditure, such as cyber-investment needs, driving the deal price down at a multiple of the reduced EBIDTA. Informed deal teams already know the level of cyber-investment by sector and will seek a “clean bill of health” and compliance record over a sustained period prior to the deal – otherwise expect a price chip negotiation.
Cyber-diligence must operate at transaction pace, joining the dots between the business operating model and the technology to identify cyber-risks and deal impacts. Often working early in the deal lifecycle with limited information.
In theory you could wait until the deal is completed, at which point a buyer can perform full security tests on newly acquired IT systems and applications, but this is the digital equivalent of trying to crack open the bank vault after you have bought the bank.
You may want to consider or be ready to answer the following questions depending on which side of the deal you are operating:
How does your business generate operating profits and revenues? What is the key intellectual property and data assets?
What would be the value impact of a breach on key processes or information assets?
Has the business been compromised or at risk of compromise over the last 12 months?
Does the business have adequate cyber-governance – for example does the board frequently receive and act upon active cyber-metrics and reporting?
What level of oversight is there on third-party suppliers – for example IT managed service providers and cloud services?
What level of cyber-security investment has been made in the last two to three years and forecast next year?
CIOs / CTOs and CISOs have an opportunity to embrace their role in deal execution and become the catalyst for businesses to address cyber-risks leveraging transaction value. Capital events can drive a positive ripple-effect across businesses and our economy where perhaps many cyber-industry standards and regulations have failed.
Contributed by Ian McCaw, transactions cyber team leader, EY.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.