Cybersecurity track records ‘derail’ deals, say M&A experts

Security audits are now standard practice for M&As and impact value, according to a poll of experts by (ISC)².
3 October 2019

Sound cybersecurity policies can be deal-breakers. Source: Shutterstock

When it comes to mergers & acquisitions (M&A), we know that buyers will comb through balance sheets, intellectual property, and market share. But new research indicates that a company’s track record for cybersecurity has become just as important. 

The Cybersecurity Assessment in Mergers & Acquisitions report by (ISC)², the world’s largest non-profit association of cybersecurity professionals, found that security audits are now “essential” to the M&A process. 

An organization’s cybersecurity tools and practices and overall security posture— and how it’s handled breaches in the past— can today “determine the feat of a deal,” according to the study. 

The survey polled 250 US-based professionals with M&A expertise. It found that buyers are forgiving to companies that have taken the right step, having suffered a security breach in the past. But more than three-quarters (77 percent) have made recommendations on whether to proceed based on the strength of the target company’s cybersecurity program. 

“[…] even if a company runs an efficient supply chain and offers great products and customer service, the absence of a robust cybersecurity program is a problem,” read the report.  

“There is inherent value in cybersecurity tools and practices, and any decision-maker considering M&A activity must not ignore this fact.”

Meanwhile, just shy of half (49 percent) had seen transaction “derail,” when a breach comes to light in the due diligence process. 

Cybersecurity posture becoming differentiator demonstrates just how much of a concern cyber threats are in the boardroom today, given their potential impact on corporate growth. 

Buyers now treat cybersecurity programs as an asset, with readiness determining the overall value of the company. However, valuations can still vary widely, depending on the maturity and effectiveness of the program and the way it’s measured.  

Interestingly, while most 86 percent said a publicly reported breach would detract from the acquisition price, a previous breach is not a deal-breaker if the company can demonstrate it acted with the correct procedure at the time. 

Meanwhile, if a company that addresses the breach, fixes security vulnerabilities, and pays any necessary fines, 88 percent said its value can increase; “This brings serious gravity to lessons learned,” read the report.  

“If an organization has learned from past incidents and mistakes, it shows a level of maturity and seriousness. It may even provide a kind of immunity, indicating that the organization is resilient in the face of cybersecurity incidents.”

Tim Mackey, Principal Security Strategist, Synopsys CyRC, said: “In the age of digital transformation where technology plays an increasingly significant role in business, the consequences of a poor cybersecurity posture have never been more severe— from breaches that result in loss of customer data and IP to regulatory fines and reputational damage.

“For companies involved in M&A transactions, the stakes are even higher as deal sizes, and stock prices can be impacted significantly by an ill-timed security incident.”

A thorough evaluation of technical and cybersecurity risks are now vital for acquiring firms, Mackey said, owed to the chances of inheriting “unreasonable technology and security debt, imminent legal or regulatory obligations, and a tarnished brand.”

Conversely, it’s the best interest of companies angling for an acquisition to prepare for such audits, “by building security into the fabric of their organization from the outset, rather than just slapping on some Band-Aids prior to an acquisition,” said Mackey. 

On how cybersecurity audits are carried out, (ISC)² found that 60 percent used an in-house team— more common among larger businesses— while 35 percent used outside consultants. In a more high-risk approach, a mere 5 percent said they allow the M&A target to self-audit, requiring a signed affidavit.