Security Check: Make Cyber Part of the Diligence Process
In today’s digital economy, every company is a technology company—which means every company is susceptible to a cyber attack. That’s why organizations seeking an M&A transaction must pay close attention to the cyber risks of companies they plan to acquire.
The due diligence process typically focused on uncovering the financial condition, assets, liabilities, and overall health of the target company. It still does. But the business world’s heightened reliance on IT assets and emerging technologies adds a new and necessary layer to the due diligence process: cyber diligence. A breach can have a significant impact on financial performance and, consequently, quality of earnings.
A cyber diligence assessment examines vulnerabilities of the target’s IT assets and the scope of damage that could occur in the event of a breach. While cyber diligence might not always provide complete assurance of the target company’s ability to protect and defend against cyber threats, it can provide a reasonable understanding of the target company’s current capabilities.
For example, how is the target company currently monitoring threats? What kind of response plan does it have in the event of a hack? How quickly can the company recover if an attack disrupts its supply chain or its ability to bring products to market?
Performing a cyber diligence assessment can shed light on these questions and, depending on the answers, impact the way an acquirer values and structures a deal. After all, Verizon ultimately paid $350 million less than planned for Yahoo following the disclosure of two massive breaches.
By contrast, sellers that demonstrate a strong cyber security posture can see their valuations increase. In many cases, good “cyber hygiene” at a target company is symbolic of other good habits, such as proper operational controls and excellent governance.
When it comes to cybersecurity, companies don’t need to boil the ocean. But they must do the basics and do them right. This includes making sure their systems are updated and patched on a regular basis, and putting the proper security configurations and password controls in place. It also includes providing cyber training to employees. People are often the weakest link.
Per a new survey conducted by CohnReznick and Nexia International, a leading, global network of independent accounting and consulting firms, on the current state of cyber preparedness, 20% of organizations have never conducted a cybersecurity assessment and only 25% provide cybersecurity training to employees at least annually. What’s more, 20% of companies that are required to have a cybersecurity program based on government, industry, or customer regulations don’t have one.
An acquiring company or lender needs to understand and evaluate whether a target company has established an adequate cybersecurity strategy and has proper governance to ensure that its processes and controls are working adequately. Strong cyber processes and controls will defend against threats from both external malicious attackers and from internal users who may fall prey to phishing emails and clicking links that provide sensitive information to intruders seeking access to the network. For the lender in the transaction, understanding the risks and financial impact of a breach can impact the underwriting of the business.
Acquirers should also know whether a target business has recently engaged a third party to undergo a vulnerability assessment and penetration testing of its network. These tests will gather intelligence on any past breaches at the target company and ascertain whether any customer information—or the target company’s intellectual property—has been compromised and is available for sale on the dark web.
Equally important is whether proper security awareness training is provided to employees. Does the culture promote identifying, detecting, and notifying IT management or responsible parties if employees see something malicious? If not, that company could be at heightened risk.