There are three common reasons cyber security has to be among the top priorities for the C-suite: To maintain confidence of partners, customers and investors. Loss of confidence by any of those groups could undermine corporate revenues.
A new report suggests there’s another reason: To keep up the value of the company for a possible merger or acquisition.
“Virtually all acquirers must implement a rigorous diligence process when considering M&A targets,” says the report by West Monroe Partners, a U.S.-based business and technology consulting firm. “The nature of cyber threats is also changing constantly, requiring a nimble approach to due diligence.”
How big an issue is it? According to a survey of 30 senior executives at corporate and private equity firms that frequently conduct M&A transactions 80 per cent said cybersecurity issues are highly important in doing due diligence on potential deals. The other 20 per cent who said they are somewhat important.
Just over three quarters said said the importance of cybersecurity in potential deals had increased significantly over the last 24 months.
These numbers reflect the rapid growth of risks related to cybercrime and the growing number of costly data breaches, says the report.
It quotes the director of M&A at an unnamed technology firm that completes more than 10 acquisitions a year, who said that “information collected through data security diligence plays the most important part in deciding the future course of the deal. We operate in an industry where data security is of utmost importance and therefore any breach or intrusion could permanently harm the company’s image and operations.”
The obvious worry is the cost fixing security problems or covering damages for previous breaches in the company being acquired, in addition to integrating two security architectures. More than a third of respondents said they are highly concerned about the occurrence of frequent or recent data breaches in a company being looked at.
Thirty-seven percent of respondents said they especially worried about threats to customer data, while 33 per cent said threats to business data concerned them.
On the other hand, the report acknowledges that how competently a company responded to a breach could add to its value.
How thorough will the examination be? The report says a proper due diligence should look at the full gamut of risks: breach history, specific data threats, problems for integration, and the cost of potential fixes.
The report says the kind of red flags respondents have found when they do examinations include lack of comprehensive data security architecture, vulnerability to insider threats, inadequate security on mobile devices, vulnerable local server storage, lack of data security team, weak encryption/ security by vendors, vulnerable cloud storage and weak employee password policy.
Would your organization stand up to that kind of examination?
The report also notes that the target company may have clear grades in many of these categories but a lack of good governance in the form of written policies and procedures could be a warning sign.
One last point: cybersecurity issues alone aren’t a deal-breaker, most respondents admitted. However, they could affect the value, or whether an offer is made at all.