Cyber due diligence: A must regardless of environment
What do the acquisitions of Starwood Group by Marriott and Whole Foods by Amazon have in common? Both were affected by cyberattacks shortly after each acquisition was complete and both acquirers failed to uncover data breaches that occurred before purchase. These companies are not alone.
And, if breaches can happen to behemoth companies, then smaller companies with fewer protections in place are definitely at risk. According to the 2019 NetDiligence Cyber Claims Study, of the more than 2,000 cyber insurance claims filed, 96% came from small to midsized businesses with less than $2 billion in revenue.
According to The World Economic Growth Forum’s recent Executive Opinion Survey, cyberattacks remain the No. 1 greatest concern for doing business in North America. What’s more, cyber breaches are projected to cost the global economy $6 trillion in damages by 2021, according to Forbes. The barrier to entry for bad actors to attack an organization has become much lower. Unsophisticated attacks carried out with ransomware and malware pop-ups and simple phishing tools that cost less than $1 have become more common. Only one in four small businesses are prepared for dealing with cyberattacks, according to Small Business Trends. The threat is there, and it’s not going away.
While certain industries that handle sensitive personal information, including health care, financial services and retail, may see a higher incidence of data breaches, no industry is immune. If security events disrupt business operations, customers stop doing business with the organization, which leads to a significant loss of revenue. The NetDiligence Cyber Claims Study indicates business income loss is the biggest contributor in driving the cost of security incidents higher. In fact, 25% of small to midsized businesses filed bankruptcy and 10% went out business after experiencing a data breach, according to National Cyber Security Alliance research.
This trend is not unknown to today’s dealmakers. Most investors have faced one or more cybersecurity incidents in their investment or portfolio companies. If the acquired company faces a security breach during the holding period, chances are the company will not command the desired multiple upon exit, and the overall investment objectives will be jeopardized.
Data is the new oil. Just as a prudent dealmaker would assess the risk of an oil spill before investing in an oil exploration business, an investor should assess the risk of data leaks in this data-driven economy.
Cyber due diligence involves a quantitative risk assessment to estimate the financial loss exposure of a target and develop an appropriate mitigation strategy. Cyber due diligence will help buyers and sellers alike to answer the following questions:
- What are the critical assets from a data, infrastructure and brand reputation perspective?
- What threat actors may be motivated to damage the company?
- What are the quantified and prioritized cybersecurity risks associated with the company’s critical assets?
- What is the financial loss exposure from identified risks, including the regulatory penalties if a breach occurred?
- What does the road map to addressing security concerns and the pricing for remediation efforts look like?
Once an investor understands the value of the assets and has an idea of the threat actors, it’s important to identify the different means through which they can do damage to the business. Finally, an investor should assess what controls the business has already implemented to manage those risks.
There’s no question that cyber due diligence is paramount, but private equity firms need to make sure they are prepared to deal with threats and potential breaches on a go-forward basis as well. Immediately after closing the deal, the buyer should execute the plan developed through cyber due diligence and remediate those risks that could be exposing the company to significant losses. Unfortunately, cybersecurity is not a one-time investment that can then be forgotten. A trusted third party should be engaged to set up an enterprise-wide risk governance program to provide visibility into cybersecurity risk throughout the holding period and beyond.
Technical teams need time to get in and assess the risk; the value of making the time for cyber due diligence should not be understated. As a result of the white-hot market, deals are closing quickly, and therefore, we will likely continue to see data security issues and attacks arise because private equity firms are not taking enough time to conduct appropriate cyber due diligence ahead of the transaction close.