M&A – Cyber Security Due Diligence

0

Following the discovery of two data breaches affecting more than 1 billion Yahoo Inc. users, Verizon Communications Inc. reduced its offer by $350 million to acquire the company in 2017. This transaction illustrates how a companies’ reputation and future are impacted by cybersecurity, failure to investigate these measures during mergers and acqusitions could lead to costly integration, unexpected liability and higher overall enterprise risk.

We can see almost daily the effect a data breach can have with companies losing millions in terms of direct losses, reputational damage and customer loyalty. A hurried or limited cybersecurity vetting process may miss exposures or key indicators of an existing or prior breach.

It is crucial to understand cybersecurity vulnerabilities, the damage that may occur in the event of a breach, and the effectiveness of the infrastructure that the target business has in place. An appropriate evaluation of these areas could significantly impact the value that the acquirer places on the target company and how the deal is structured. It is therefore crucial to perform a security assessment on the to-be-acquired company.

It wasn’t that long ago that mergers and acquisition deals were conducted in a paper-based room secured and locked down to only those with permitted access.  These days the process has moved on and is now mostly online, with the secure virtual data room being the norm. Awareness of cyber security in the information gathering part of the deal making process is well established. It is the awareness and need to look at the cyber security of the target company itself that has traditionally been under emphasised, looking more at the technical and practical job of integrating the merged companies’ infrastructure.

Deal makers acquiring must assess the cyber risk of an organisation in the same way that it would assess overall financial risk. Due diligence is all about establishing the potential liabilities of the company you are taking on.  According to the Verizon Data Breach survey it takes an average of 206 days to discover a breach. Often companies are breached without ever knowing. It is therefore important to look at the cyber risk not just in terms of have they been breached but what is the likelihood and impact of a breach.  An acquisition target company that looks good at the time of closing the deal may not look quite so good a few months later.

The main reason for this lack of importance given to the cyber threat is that M&A teams find it hard to quantify the cyber risk particularly given the time pressures involved.  A cyber risk assessment at the M&A stage is crucial if the acquiring company wants to protect its investment. The ability to carry out this assessment and to quantify the business impact of a likely cyber breach with a monetary value is invaluable to deal makers. Broadgate’s ASSURITY Assessment provides this information in a concise, value specific way using business language to measure risks, likelihood and cost of resolution.

A cyber security assessment should be part of every M&A due diligence process. If you don’t know what you are acquiring in terms of intellectual property and cyber risk how can you can possibly know the true value of what you are acquiring!

 

RSS Feed Subscribe to our RSS Feed

Posted on : 31-08-2018 | By : richard.gale | In : Cyber Security, data security, Finance

Tags: , ,

Write a comment