Imagine you're buying a business. The first step would, of course, be to carry out a financial audit to help assess the risk and return profile of the business.
But what about the digital risk profile? When Yahoo! was acquired by Verizon, the discovery that 1.5 billion user accounts had been compromised resulted in the purchase price being reduced by $350 million. This is just one high-profile example of how cybersecurity issues can have a material impact on the value of a transaction.
Historical and Present Risks
The cybersecurity risks associated with a merger or acquisition fall into two broad categories: historical cybersecurity issues and the present state of the target's digital infrastructure.
Historical risks include previous cyberattacks, data loss incidents and non-compliance with data protection regulations. Any of these can create ongoing liabilities for the acquiring company. If a target has suffered a data breach that has not been properly disclosed or remediated, the acquirer may inherit significant legal and financial exposure.
Present risks relate to the current state of the target's compliance posture, the potential for data and intellectual property theft, the risk of corporate embarrassment, and exposure to bribery or blackmail. Uber, for example, paid a $148 million settlement after it was revealed that the company had concealed a data breach affecting 57 million users and drivers.
The Scale of the Problem
Research by PwC found that 80% of deal-makers reported encountering data security issues in at least 25% of their M&A targets. This statistic underscores the critical need for comprehensive cybersecurity audits to be integrated into the standard due diligence process for any merger or acquisition.
80% of deal-makers reported encountering data security issues in at least 25% of their M&A targets, underscoring the critical need for cybersecurity audits in due diligence.
Black Box Testing in M&A
A specialist digital risk assessment involves the penetration of applications and infrastructure to identify vulnerabilities and assess the overall security posture of the target. Black box testing, where the assessor has no prior knowledge of the target's systems, is particularly revealing as it simulates the perspective of an external attacker.
Black box tests can be conducted covertly, which is an important consideration in the often sensitive environment of mergers and acquisitions where discretion is paramount. The results provide an objective, evidence-based assessment of the target's security posture that can directly inform valuation and negotiation decisions.
Cybersecurity evaluation should be treated as an integral component of the due diligence process in any merger or acquisition. It is essential for protecting shareholder confidence and ensuring that the acquiring company is fully aware of the digital risks it is assuming. A proactive approach to cybersecurity assessment is the key to protecting business value and avoiding costly surprises after the deal is done.
Jonathan Sharrock, Cyber Citadel.