Cybersecurity has been elevated and recognized as a critical operational factor in business planning today. That’s why it’s surprising that most companies engaged in mergers and acquisitions activities fail to include cybersecurity as part of their due diligence process.
This lack of consideration is worrisome, given the impact cybersecurity issues can have post-acquisition. Techcrunch noted in a recent poll of IT professionals by Forescout that 65% of respondents expressed buyer’s remorse after the deal was completed due to cybersecurity issues. Only 36% of those polled felt that they had adequate time to evaluate cybersecurity threats.
The real question is, why isn’t cybersecurity being given more priority in due diligence?
After all, shouldn’t the main criterion for evaluation be to explore the full financial risk for the company in question? A dollar value could then be attached to cybersecurity risks and threats affecting the future financial performance of the company.
This is why Parabellyx looks at cyber risk as the part of utility and profit equation, and that’s how we evaluate threats to a company under a cybersecurity assessment. It’s also why every M&A review should include cybersecurity as part of the due diligence process because those risks directly affect the bottom line.
By engaging in a proper due diligence process that involves reviewing data and operational risks, you can assign a specific financial value to them. By showing the impact of those risks, you can demonstrate how those risks affect the profitability of that particular deal. When you only review the financials and the business’s operational side, without including cybersecurity as part of that due diligence, you leave yourself open to risks that actually change the value of a company and may even lead to buyer’s remorse.
Why does this happen?
As the article in Techcrunch suggests, “with limited time and little background in cybersecurity, M&A teams tend to focus on more urgent transactional areas of the deal process, including negotiating key business terms, business and market trend analysis, accounting, debt financing and internal approvals. With only 2-3 months to evaluate a transaction before signing, cybersecurity typically only receives a limited amount of focus.”
It’s much harder to put a monetary value on security because, frankly, a security risk is not risk, a security risk is an uncertainty, and it’s challenging to put a financial value to uncertainty. So that’s why a lot of people neglect to review the security stance of the company. But they should!
There are methodologies that can address cybersecurity risk and uncertainty in order to understand the financial implications of the acquisition. You simply need to involve a cybersecurity vendor to perform a risk assessment as part of your evaluation. The benefits of a risk assessment, including identifying any cybersecurity uncertainties that can manifest into a potential financial or reputation loss. The assessment uncovers the risks that cybersecurity threats can represent to a valuation. This assessment also helps you post-acquisition, providing you with a cybersecurity roadmap that can reduce your overall costs for cybersecurity over time.
When we look at cybersecurity risks, there are three main areas that we believe should be included in every M&A due diligence process.
1. Loss of Business Continuity
The principal evaluation is related to any issues that can pose a loss of business continuity, such as ransomware or DDoS attack, or even with a bridge that can take down your systems. If any of these occur, you may not be able to operate at all, or if a large part of your revenue comes from digital channels, you may not be able to get customers transactions completed, resulting in significant financial loss.
2. Loss of Assets
Another key area involves the potential loss of assets. Does the company have any intellectual property? If it does, how well is that intellectual property protected? If the intellectual property has provided substantial value to the M&A valuation, you want to ensure that it hasn’t been being taken and used by your competitors due to a security compromise. You also want to understand if critical data related to your customers and your business is protected, because a breach can significantly reduce your competitiveness and cause reputational loss.
3. Financial Loss
The last core evaluation parameters concern direct financial loss. This can happen from anything such as a successful ransomware attack or from a third-party supplier or business fraud, leading to a direct monetary loss. Other risks for financial loss can come directly from the operations side of the business. Even if the company has an extensive cybersecurity operation, the moment you assume the control of that company, it becomes an operational cost for you. So, if you operate multiple assets together, and if you’re not planning the M&A as a short term holding, you will want to evaluate how you can improve operations and cost efficiencies by perhaps merging the data organization with one of the other assets that you own. There is a real possibility that you can be reducing the cybersecurity costs overall by centralizing some of those operations across multiple assets that you may already own.
If you would like to learn how Parabellyx can assist you, please reach out to us at www.parabellyx.com. We can assist you in your due diligence and help prevent buyers remorse.
Parabellyx are security-matter-experts who take a focused and business-aligned cybersecurity approach to developing strategies that accomplish your key business goals and objectives. We then train your entire organization in security, preparing you for any threat until a security mindset is entrenched across your entire company, protecting and ‘future-proofing’ your information, your employees, your customers, your shareholders and your reputation.