What You Need to Know About Cybersecurity before Starting Due Diligence

Verizon’s acquisition of Yahoo taught us that the financial implications of a data breach are significant. They can dramatically decrease a deal price—sometimes resulting in a discount of hundreds of millions of dollars—and often incur additional costs related to cleaning up after the attack and restoring customer trust.

The Financial Implications of Cybersecurity Risk

With the prevalence of data breaches—and their financial impact—cybersecurity takes on even greater importance for technology companies planning for an exit, such as an acquisition, merger, or IPO. According to a 2016 survey of public-company directors released by the New York Stock Exchange (NYSE) and Veracode:

  • 22% wouldn’t consider acquiring a company that had recently experienced a significant data breach.
  • 52% said a breach would significantly lower the target’s valuation.
  • 85% said the discovery of major security vulnerabilities during the due-diligence process was either very or somewhat likely to affect a merger or acquisition.

Why It Matters

A company’s data is often what’s sought after during an acquisition. Companies don’t buy companies, they buy value—and the assets valued in an acquisition are the same ones that make it attractive to a hacker. These include the following:

  • Source code
  • Proprietary information and systems
  • Customer lists

A cybersecurity-aware company knows where critical assets reside and how safely they’re protected. This is achieved through:

  • Policies and procedures
  • Data-protection mechanisms
  • Security awareness program, including in-depth employee training
  • Robust incident-response plan

The complexity of today’s business operations makes keeping data secure harder than it once was. The availability of cloud technologies means critically important information may be stored offsite, while companies that outsource key functions may inadvertently give vendors access to data with inadequate security controls. Additionally, the ease in which cloud services can be utilized lets anyone send sensitive information outside an organization without its IT department knowing.

Three Cybersecurity Principles

In this environment, companies anticipating a due-diligence review—as either a buyer or a seller—have a lot to sort through. We’ve provided three principles to focus on while preparing for a review.

Start Now

Addressing cybersecurity exposure and risk prior to the due-diligence process gives companies a better chance to do the following:

  • Demonstrate accurate valuations
  • Facilitate smoother transactions
  • Achieve a successful deal outcome

Reviewing cyber-risks early also provides companies with a longer time to remediate vulnerabilities and mitigate risk.

An ongoing cybersecurity program—even when a deal isn’t on the table—may make a company more attractive once it is. It can indicate a commitment to security controls and data governance—two qualities highly valued by buyers.

Go Deep and Wide

At a minimum—as highlighted in the NYSE and Veracode report—a cybersecurity due-diligence review should entail a thorough investigation of the following:

  • Viewing security logs
  • Reviewing application and database access levels
  • Reviewing recent compliance audits

In addition to the above items, companies can benefit from looking closely at these key areas:

  • Privileged accounts
  • Asset tracking
  • Data governance
  • Security event monitoring and alerting
  • Incident-response abilities
  • Disaster- and business-continuity capabilities
  • Vendors’ contract language

Build a Culture of Security

A strong cybersecurity culture starts at the top of an organization—with the board of directors and executive management. According to European Union Agency for Network and Information Security’s Cybersecurity Culture in Organizations report, a cybersecurity culture is the “knowledge, beliefs, attitudes, norms, and values of people regarding cybersecurity and how these manifest in interacting with information technologies.”

When individuals know the risks, protocols, and required actions, awareness increases and technical controls become more effective. Companies can greatly benefit from building, maintaining, and testing a strong security-awareness training program.

It’s important executive management participates and promotes awareness training. All employees, contractors, and vendors should also be involved to help ensure cybersecurity is top of mind for everyone with access to systems and data.

In today’s world of aggressive cybercrime, companies of any size need to get smart, structured, and started on cybersecurity before acquisition talks begin. Doing so can help strengthen the value of assets being bought or sold, facilitate smoother negotiations, and keep reputation or regulatory threats from doing damage before the deal is done.

We’re Here to Help

For more information about strengthening your company’s cybersecurity efforts, please contact you Moss Adams professional.