Why businesses can’t afford to overlook cyber security due diligence in modern day M&A
By Mike Wills, director of strategy and policy at cyber and data security firm CSS Assure.
Cyber crime is here to stay. As digital technology evolves daily and has become a vital component in our lives, it is not surprising cyber crime is on the rise. With 1 in 12 businesses reporting breaches several times a day, according to research from Statista, cyber security due diligence cannot be overlooked when it comes to modern day mergers and acquisitions.
Failing to carry out a detailed cyber evaluation of target companies as part of the transaction creates risk and one that brings significant financial, legal and reputational impact. What would the impact be on your investment if a cyber attack was to occur one hour, one day, one week or one month after completion?
Cyber security due diligence is about protecting your investment and ensuring you truly understand the risks the business you are buying presents, and what you need to do to make your acquisition as resilient and successful as possible.
Typically, we understand the obvious costs of an attack, such as business interruption, regulatory investigation and possible enforcement fines, but the unanticipated costs – like management disruption, strategic reputational damage, supplier damage claims, client impact, increased insurance premiums and group litigation – are often forgotten about.
Furthermore, if a major cyber attack hits an acquired business shortly after a deal has been closed, it can significantly hinder the purpose of the transaction and could present an existential threat to the wider group or organisation.
With this in mind, if you are acquiring a business, you need to understand how resilient it is. Gone are the days of ripping an information security policy off the internet and submitting it as part of general due diligence. A penetration test carried out two years ago was out of date the moment it was finished. An incident response plan not reviewed and communicated, and never rehearsed is ineffective.
Now more than ever, a comprehensive understanding of the cyber resilience of a business is critical. Could it be a liability and your weak link in the chain? Could it be an accident waiting to happen? Could a cyber attack already have occurred – and you are unwittingly taking ownership of potential unrealised problems? How much investment is required to bring it up to scratch and ensure it is hard to hack going forward?
It is important these things are understood during the due diligence process so you can factor any potential costs or risks into your future plans and into the deal while negotiating price.
The most sensible first step is to conduct an independent cyber and data security assessment, which will benchmark the business’ cyber resilience against international industry best practice. Typically, an assessment will consider every security component of a business to find possible blind-spots, potentially highlight where systems may have already been breached, identify whether any information is already publicly available that could present a risk, and provide a report detailing remediation requirements and a recommended roadmap for implementation.
Cyber due diligence is the standard. Adoption within M&A transactions increases every day and is equally applicable for private equity investments, banks extending lines of credit or those dealing with restructuring and insolvency.
The other side of the table
For businesses that are selling, as highlighted above, they should expect for cyber due diligence to be conducted on them. If you are not prepared, this could complicate the transactional process, and any risk and weaknesses can be used to inform the final acquisition price.
Transparency, honesty and impartiality are important and if you are able to say an external company has conducted a cyber audit that highlights potential costs and risks, it will go a long way to developing trust in your business and securing the deal.