Cyber due diligence: A must regardless of environment
How a data security plan can protect your investment
Originally published in the July/August issue of ACG’s Middle Market Growth.
What do the acquisitions of Starwood Group by Marriott and Whole Foods by Amazon have in common? Both experienced cyberattacks shortly after the acquisitions were complete and failed to uncover data breaches that occurred before purchase. These companies are not alone.
And if breaches can happen to behemoths, smaller companies with fewer protections in place are definitely at risk. According to RSM US’s 2019 NetDiligence Cyber Claims Study, of the more than 2,000 cyber insurance claims filed from 2014-2018, 96% came from small to medium-sized businesses with less than $2 billion in revenue.
While certain industries that handle sensitive personal information, including health care, financial services and retail, may see a higher incidence of data breaches, no industry is immune. If security events disrupt business operations, customers stop doing business with the organization, which leads to a significant loss of revenue.
Today, this trend is not unknown to deal-makers. Most investors have faced one or more cybersecurity incidents in their investment or portfolio companies. If the acquired company faces a security breach during the holding period, chances are the company will not command the desired multiple upon exit and will jeopardize the overall investment objectives.
Cyber due diligence will help buyers and sellers alike in understanding the critical assets from a data, infrastructure and brand reputation perspective; which threat-actors may be motivated to damage the company; the quantified and prioritized cybersecurity risk associated with critical assets; the financial loss exposure from identified risks, including the regulatory penalties if a breach occurred; and the roadmap for addressing security concerns and the price of remediation efforts.
Once you understand the value of your assets and have an idea of the threat actors, it’s important to identify the different means through which they can damage the business. Finally, you should assess what controls the business has already implemented to manage those risks.
There’s no question that cyber due diligence is paramount, but private equity firms need to make sure they are prepared to deal with threats and potential breaches on a go-forward basis as well. Immediately after closing the deal, the buyer should execute the plan developed through cyber due diligence and remediate those risks that could expose the company to significant losses. Unfortunately, cybersecurity is not a one-time investment that can then be forgotten. A trusted third party should be engaged to set up an enterprise-wide risk governance program to provide visibility into cybersecurity risk throughout the holding period.
In today’s very busy M&A environment, in which deals are closed quickly, you cannot afford to have data security issues and attacks become distractors and delay closing. While it is easy to be overwhelmed by cybersecurity issues, prudent investors can avoid major financial losses with appropriate cyber due diligence and enterprise risk governance.