Cyber security can have a significant impact on business value across the lifecycle of an investment. By considering the cyber security risks and priorities at each stage of the deal process. You can mitigate the threat of cyber-attacks, avoid overspending on security, and maximize the return on investment.
Acquiring a company means taking on its digital operations and acquiring its past present and future data security problems. This means effective cybersecurity due diligence is essential as it may uncover several technical, financial, and legal risks in the target which can affect the final terms of the acquisition agreement. The level of consideration the purchaser is willing to pay. If the identified cyber issue is very serious, jeopardizes the transaction itself.
Recent events have highlighted the importance of cyber security to the front of many businesses’ minds. The costs associated with cyber incidents often are severe and may include:
- Forensic and investigative activities
- Assessment and audit services
- Crisis management
- Notification of affected third parties
- Consumer class action or other litigation with customers, suppliers, or business partners
- Regulatory investigations and fines
- Business interruption or contingent business interruption losses
- loss of reputation and goodwill.
Cybercrime is to cost the UK £27 billion a year and the average cost to a large organization of a data security breach is between £1.46 million and £3.14 million. Nonetheless, the risk of cyber incidents is not always in-depth or dealt with in deal due diligence.
The UK was hit recently by numerous high-level attacks which were serious enough to warrant National Cyber Security Centre involvement and countless lower-level ones. Recent examples of such high-level attacks are the WannaCry and Petya attacks.
Other reasons for cyberattacks might include gaining access to a company’s trade secrets or intellectual property. For instance, a pharmaceutical company’s formula for a drug or a manufacturer’s product design. Customer information or employee data, from personally identifiable information, personal health information, or credit card details to other confidential information such as historical financial data and projections, customer lists, or corporate strategies.
Understanding and addressing cyber risks in connection with an acquisition is important for both purchasers and sellers. That, however, can be a difficult task. Cyber issues may be latent, and the extent of potential damage often is difficult to quantify. The target might be unaware of a cyber intrusion and does not know what the attackers have done to or with the high-value digital data they accessed and compromised.
Many data breaches, for example, are not for many months or years after their inception. Parties run the risk of closing a deal well before an attack. Plus determining the “materiality” of apparent cyber incidents without knowing. Other than by inference, the nature of the digital assets at risk or the harm that could flow from their compromise is very difficult. Similarly, assessing the potential devaluation of the target’s high-value digital assets without evidence of what was accessed and exploited is very complicated.
Further, the current legal framework fails to address cybersecurity risks and issues effectively. There is no single set of mandatory cybersecurity rules with which companies must comply. Instead, there are several different laws, rules, and regulations which apply depending on the context of the relevant incident and the nature of the organization involved. The lack of a clear set of rules also makes it very difficult to assess a target’s current and historic cybersecurity posture.