Cyber Due Diligence: Protecting M&A Value


Cyber threats are everywhere, and breaches make headlines on what seems like a daily basis. They also cost companies—in money and reputation. The global cost of cybercrime is expected to reach $6 trillion annually by end of 2021.

Having a good cyber risk management program in place might help a company prevent some breaches. But more importantly, when a breach does happen, it can help companies get back on their feet faster and mitigate financial and repetitional damage. How do you know whether your company is doing what it should to address the risk?


For our Quick Guide for Protecting M&A Value Click Here!


Interested more, feel free to keep reading.

As cyberattacks increase in sophistication and magnitude of impact across all industries globally, private equity firms can no longer afford a “whatever” attitude towards cybersecurity. In a world where data is increasingly viewed as an organization’s most valuable asset—and yet data can also be its greatest source of risk—cybersecurity is inextricably linked to company value. It is vital for the buyer to ensure they fully understand both the value of the information assets they are looking to acquire and the level of cyber threat and vulnerability facing the target company. The buyer must also be able to determine the potential financial impact of the company’s cybersecurity preparedness or lack thereof upon the deal price.

The cyber environment is a fast-moving and dynamic one. What companies did yesterday to prepare for and battle cyber incidents may not work today, much less tomorrow. No sector is immune. Four months before cybersecurity company Avast acquired Piriform, attackers accessed Piriform's network and, some two weeks after the acquisition, injected malware into the installation file for Piriform's CCleaner product, downloaded by 2.27m CCleaner users. In a blog about the incident, Avast stated, "…M&A due diligence has to go beyond just legal and financial matters. Companies need to strongly focus on cybersecurity, and for us this has now become one of the key areas that require attention during an acquisition process…"

Knowing the challenges are half the battle. As cyber security experts we see first-hand how companies are breached.

Common challenges In Cybersecurity

  • There’s no inventory of the company’s digital assets Only 37% of directors are very comfortable that the company has identified its most valuable and sensitive digital assets.

  • The company doesn’t know which third parties it digitally connects with More than half of respondents to one survey say their companies don’t keep a comprehensive inventory of the third parties they share sensitive information with, let alone whether those companies have proper controls in place to protect it.

  • The company hasn’t identified who is most likely to come after its data Only 17% of directors are very comfortable their company has identified who might attack its digital assets.

  • The company has poor cyber hygiene 93% of all 2017 breaches could have been prevented if companies had better cyber hygiene practices, such as regularly updating software, blocking fake email messages and training employees to recognize phishing attacks.

  • The company hasn’t patched known system vulnerabilities According to one study, 57% of respondents who reported a breach said it was due to a vulnerability for which a patch was available but not applied.

  • Companies have a wide attack surface as companies leverage “internet of things” (IoT) devices and new technologies in running their business, their attack surface increases. 81% of business leaders say the IoT is critical to at least some of their business, but only 39% say they are very confident they are building sufficient “digital trust” controls—security, privacy and data ethics—into their adoption of IoT.

  • Employees aren’t trained on their role in security. Only 34% of executives say their company has an employee security awareness training program.


Targets should of course seek to get their security houses in order in advance of acquisition negotiations. And it would particularly behoove prospective buyers to engage privacy/security expertise from the outset not only because security-related issues may affect valuation, but also to protect themselves from material security-related risks. Accordingly, buyers should:

  • Conduct appropriate due diligence - legal and technical - regarding security and data issues, as relevant to the target's business/sector. This includes issuing enhanced legal due diligence checklists covering data protection, privacy and security. If initial responses raise any red flags, the due diligence may have to extend to reviewing security-related policies and possibly using security experts to scrutinize target systems/data.

  • Ensure transaction documents include provisions appropriate to the specific risks, such as:

  • Possible retentions from the sale price.

  • Representations and warranties on the target's security policies and implementation, addressing in particular specific security risks uncovered by the due diligence exercise.

  • Indemnities, enforceable post-completion, covering e.g. investigation, remediation, recovery and compensation costs, fines etc. for security incidents arising from pre-completion target acts/omissions,

  • Extending "material adverse change" events entitling termination, or events/circumstances entitling price reductions, to include pre-completion target security incidents.

  • Conduct an insurance review of the target as part of the due diligence review, particularly to check if any pre-existing insurance policies adequately cover cyber/security risks, and if necessary, consider obtaining appropriate specific warranty and indemnity (W&I) policies to cover warranty claims under the purchase agreement, perhaps at the target's cost.

  • Implement the secure integration and migration of the target's systems/data with the buyer's systems/data within a reasonable period after completion, aided by the due diligence report, with continual periodic monitoring and addressing of security risks thereafter.

Conclusion

As cyber threats persist, many companies and boards are starting to recognize the need for an effective cyber risk governance and oversight structure. Such a structure includes the board, IT and management so cyber risks are managed across the company. While it can be a journey to establish such a cyber risk management program, the end goal is to have a cost-effective program that addresses the key risks and allows the company to become cyber resilient. Both seller and buyer have similar interests to consider. In the end, it’s all about protecting your assets, whether digital or financial, your company’s brand reputation and ultimately its value. One will never be 100% protected against cyber criminals. Even if done does remediate all discovered cyber security related risks. But one can for sure minimize the impact, the damage and the time needed to reboot the company’s operations and thus preserve the company’s value doing nothing, and hoping to get away with it, is really no longer an option. Hope is not a strategy.


Want help in performing a cyber due diligence. Contact Us Now!

22 views0 comments

Recent Posts

See All

Cybersecurity attacks are on the rise, especially since the onset of the COVID-19 pandemic. Cybercriminals are attacking all businesses, including critical infrastructure and members of the global sup

Microsoft warns about the recently patched Windows MSHTML remote code execution vulnerability tracked (CVE-2021-40444) that has been under active exploitation by multiple threat actors including ranso

The fourth industrial revolution, dubbed Industry 4.0, introduces the use of Cyber Physical Systems (CPSs) in production processes, where the industrial internet of things (IIoT), machine learning, an