Last year will be remembered as a pivotal moment for cybersecurity after a number of high profile breaches dominated the headlines. Such attacks will obviously have a lasting impact on a company’s reputation, but the effect that this can have on the value of a company is often overlooked. A cyber attack could pull the proverbial rug from underneath the sustainable growth of a business.
In our information age, a company’s expansion plans will often require the digitalisation of certain key functions and processes to improve efficiency and, by extension, profit. If this digitalisation occurs without an accompanied investment in cybersecurity, the company could unknowingly open itself up to a cyber attack at the core of business operations.
It’s difficult to put a price tag on information, and perhaps this is why data security is often overlooked or underinvested in; however, this doesn’t mean that data has no value. Research from the Ponemon Institute shows that the average total cost of a data breach is $3.79 million. The study also found that there has been a 23% increase in the total cost of a data breach since 2013.
> See also: Hacking the economy of smartphone theft
This increase could be explained by an increase in the value of data, but also by an increase in the propensity for businesses to rely on digital systems that may be vulnerable to attack. It’s therefore vital that businesses recognise the risk of a cyber attack for the damage that it can cause, not only to the security of key company data and systems, but also to the integrity of their business and value as a whole.
What does this mean for the growth prospects of a business?
This risk becomes all the more salient when one considers its implications for the future growth of the business – something that corporate investors and private equity firms are paying increasingly close attention to. Successful businesses often draw the attention of cyber perpetrators, and considerations such as whether to merge with or acquire another business is a decision that tends to come with success.
EY's Capital Confidence Barometer found that 56% of companies expect to pursue acquisitions in the next 12 months, and if your business is to consider taking this next step, it’s vital to have a comprehensive history of investment in cybersecurity and data compliance.
Buyers or investors are looking for companies that show growth potential, including the ability to expand into new markets or transform to the digital economy. Corporate buyers and private equity firms are less likely to want to acquire or merge with another if it poses a risk of compromising their own security or portfolio value.
If they do choose to go ahead with the deal despite this lack of investment in cybersecurity, it can be used as a negotiation point during the valuation process.
In the merger and acquisition (M&A) market, performing diligence on a target is an increasingly comprehensive process in our information age, but simplistically it is comparable to the process of buying a used car, in the sense that dealmakers will be more likely to purchase a model that has a history of regular service and reliability. Investment in cybersecurity can therefore not only prevent reputational damage and data leakage, but also make your business more attractive to potential buyers, and thus increase its value.
Cybersecurity in the M&A market
The M&A market in particular is a perfect hunting ground for cyber criminals, where we see $1 trillion in deals executed by Private Equity and Corporate businesses each year. In most deals, commercial pressures to ensure top line growth and drive operational efficiencies over a relatively short investment period understandably take priority.
However, rapid technological change has brought increasing cybersecurity risks, which has now become a key issue that must be managed as a vital part of the deal-making process. We explore these risks below and discuss how they can be identified and mitigated at each stage of a deal.
The activities leading up to transaction signing is perhaps the most sensitive stage, due to the number of parties involved on both the sell-side and buy-side and the multiple flows of information between these parties, above and beyond the daily course of business.
These two factors combined with the aggressive timescales of a transaction can create vulnerabilities that can be exploited by cyber criminals to gain access to commercial data, intellectual property or sensitive company information.
In order to manage this risk, companies need to ensure that they have strong information handling procedures and governance mechanisms in place to ensure the information shared maximises the valuation but limits exposure. During this period of intense activity we would expect organisations to put in place heightened security and monitoring measures to identify suspicious activity at the earliest possible stage and protect the individuals involved against inadvertent lapses.
Cyber security threats can greatly undermine the timing and success of the sale process. A cyber security attack leading up to exit can potentially lead to delays in the process, risk losing reputation and value or in some cases lead to a decision to abort the deal entirely.
> See also: Cybercrime: the scourge of the digital economy
In preparation for a sale or IPO, organisations should be aware of the expectations and requirements of potential buyers and the market, and ensure that their cyber security maturity is aligned. Incorporating a cyber security assessment as part of the exit readiness will allow time for any potential deficiencies to be addressed, and to identify if market and buyer expectations have changed or are different to the status quo.
Making the right decisions
Executives and investors need to establish whether funding initiatives to counteract the cyber threat are critical to the business’ value; examples of this could be non-compliance with regulatory requirements, increased threat exposure, vulnerable data required for day to day operations, or significant value in unprotected intellectual property that is crucial to generating the company’s revenue. Establishing the most important digital assets which create value for a company is the first step.
This can be used to assess the appropriate level of investment and understand the impact on value should these assets be compromised by a cyber attack.
Cybersecurity is equally as important for companies who have yet to enter the M&A market. If they are to achieve sustainable growth, it’s vital that key company data, intellectual property and systems are sufficiently protected against cyber attack to reduce the chance of reputational damage or value leakage.
Cybersecurity is no longer just an IT risk issue, but one that executives and entrepreneurs need to leverage to facilitate business growth and sustain deal value.
Ian McCaw, Executive Director, Operational Transactions Services, EY