Cybersecurity issues are deal breakers. In a recent survey on software mergers and acquisitions conducted by West Monroe Partners, more than half of the respondents surveyed reported discovering a cybersecurity problem after deal closing. Cybersecurity issues were the second-most common reason that deals were killed, and the second-most common reason buyers and investors regretted doing the deal at all.
In February 2018, an American drug maker lost 34% of its value in the middle of a $5 billion takeover due to a data breach. The FTC is investigating, and the company’s stock is significantly lower than it has been all year. The deal may still go through, but at a considerable loss. This doesn’t include the additional costs attributed to mitigating the breach, dealing with regulators, and now installing the correct preventative measures and technology to avert future breaches. Loss of investor and customer confidence can’t be underestimated going forward.
Additional research done by the New York Stock Exchange Governance Services and Veracode found that, upon discovering a breach, three quarters of buyers and investors would either pass on the deal or complete it at significantly less value. Furthermore, 85% stated that discovering major security vulnerabilities would likely affect the terms of the deal. No doubt these indicators are trending up as more cybersecurity incidents occur across a wider number of domestic and international companies regardless of industry.
Whether you are a private equity, venture capital, family investment office, or other investor group, or you are the lawyer, accountant, consultant, or banker servicing them, you need to ‘up your game’ before putting more capital at risk in an acquisition or investment transaction. If deals are to be brokered, not broken, cybersecurity must be a priority. The research is clear, cybersecurity due diligence now holds equal weight along with financial and tax due diligence. Here are the most important questions and answers to tackle about cybersecurity due diligence and deal risk management:
- We get that cybersecurity due diligence is important, but where do we get started? Do I hire a staff or outsource?
Hiring the staff…
Building an effective cybersecurity due diligence team can cost upwards of $400,000 annually. Expertise in security controls and frameworks across all business functions, evaluating compliance with industry mandated and third-party standards and being able to appraise the security of technology stacks are high demand, low density skill sets. Recruiting, hiring and retaining quality cyber security professionals is a challenge across all industries.
Cybersecurity firms provide the expertise for risk and compliance needs, along with the Managed Security Services like security monitoring, vulnerability assessments, employee training, and policy and process writing. These services can be considerably less than building an in-house team; as little as 20% of the cost of hiring depending on your needs and the provider chosen.
The problems these solutions are attempting to solve…
Businesses that operate in tightly regulated industries like healthcare, finance, pharmaceutical, education and government will directly contend with HIPAA, GDPR, SEC/FINRA, FERPA, DFARS, etc. Cybersecurity compliance measures are just as hefty for the non-regulated industry attempting to comply with Vendor and Business Associate Agreements per contract requirements. This is the new normal. Companies are aware of risks that vendors pose to one another and force adherence to security control frameworks (e.g., NIST, ISO, SANS, etc.). From the moment this requirement is made, a company is months away from being close to comply with a given set of security controls.
- How do we manage and control cybersecurity due diligence costs so that the outlay is reasonable, and the outcome is meaningful?
The cost of cybersecurity is a moving target, but there is a reasonable approach. The more reactive an organization is to a cybersecurity matter, the more expensive it is all at once. For example, if you wait until you are up against a deadline, the costs will go up. Cybersecurity firms that conduct cyber due diligence services are in high demand and its highly possible they have a backlog of clients awaiting the assessment, testing, and mitigation services needed to comply with due diligence requirements.
As you will see in the following answers, there are non-technical activities that can be performed as a part of the due diligence process to get a high-level overview of the security posture. The main idea is to know what the current level of protection is against sensitive company information.
It is a good sign if the company being considered already has a proactive security approach. This means there is less risk to manage, and less to spend as a part of the initial integration activities if the acquisition goes through. The more reactive the approach, the more expensive it will be to implement and, as a result, there will be more heavy lifting required and potentially new resources will be needed in the future. By taking the approach as listed below, you should be left with an action plan to use as you move forward through the M&A and investment process.
- I know that cyber security risk management is necessary, and I don’t want to get burned. Tell me what a good cybersecurity due diligence program is and what will I learn from it.
A primary reason to stray away from relying solely on audits and compliance reports as a main source of due diligence is that they are a point-in-time assessment, and the information security landscape changes daily. If you combine this with the various business risks that arise as part of the mergers and acquisitions lifecycle, information security risks increase as the M&A process continues.
The first logical step of information security due diligence is to perform a risk assessment based on industry standards which will identify strengths and current gaps within the environment. This will also provide a high-level overview of current processes in place and technical capabilities. Part of this risk assessment may also include reviewing the handling of previous security incidents (both technical and non-technical) and show what protection is available.
Depending on the timeline and budget, add as many of the next few items into the due diligence process as possible to get a clear picture of the security posture of the company:
- Technical assessments: This could include vulnerability scans and penetration testing to test network security. A third-party may be required to perform the testing depending on skillsets of the available internal resources. However, some larger companies may already participate in technical assessments as a compliance requirement, so recent scanning reports may be available to suit this need.
- Meetings and interviews with leadership and management: Though this should be pre-built into the due diligence process, meeting with leadership after the risk assessment is performed is a good way of learning how information security fits into the overall corporate structure and how remediation is prioritized and budgeted.
- Risk profiling: This activity involves identifying factors that contribute to risk and how they affect each other to paint the full landscape of risks, their likeliness to occur, and their impact on the business.
If these items are performed during the due diligence process, they can be turned into an ongoing mitigation and action plan. These can be used by leadership as the deal moves forward through the cycle long after the due diligence process ends, increasing the value received for the money spent.
- We only have two weeks until “best and final” bids are due. What can you do in that length of time? How useful and assuring will that work be?
Several items could be planned into a short due diligence timeline, but it will not give you a holistic view of the environment. Some shorter activities may include:
- Network Vulnerability Assessment
- Penetration Testing
- Employee Cyber Awareness Training
- Obtaining a quote for cyber insurance
The outcome of these activities also highly relies on the market and availability of cybersecurity professionals and their ability to get the work done in time. In other words, you are ‘rolling the dice.’
At the very least, focus on gathering information to get a high-level overview of the following risks:
- Data Management Risk: What are the ‘crown jewels’ (e.g. the most valuable information within the company)?
- Technical Risk: What technologies are in place to protect the crown jewels?
- Corporate Risk: What employees and third-parties have access to crown jewels? How are third parties vetted, managed and audited?
- Employee Risks: Employees are the biggest risk to data security. How are the employees trained to know information security best practices?
- Previous Incident Track Record: If an incident has occurred in the past, how has it been managed?
- Cost of a Cyber Breach: According to the Ponemon Institute’s “2017 Cost of Data Breach Study: United States,” a breach costs the organization an average of over $2.4 million. What would that cost be for your company?
- Why can’t I just slap some rep and warranty insurance in place along with a cybersecurity insurance policy post-closing? Isn’t that good enough?
If a cyber policy has been purchased, but there is not a cybersecurity program in place, the policy is not likely to protect the company in the event of a breach. Without knowing the cyber risks within the company, there may not be protection of those risks within the insurance policy.
When attempting to get cyber insurance, underwriters will look at the state of information security maturity within the organization to determine the amount of coverage available and the cost. They will want to have discussions regarding dedicated information security resources, policies and procedures, employee education, incident response planning, vendor management, and other security related areas before offering a quote.
In addition, not all policies offer the same amount of protection. Here are some examples of cyber insurance coverage:
- Data Privacy Coverage
- Liability Coverage for Loss or Breach of Data
- Coverage for Remediation Costs such as Customer Notification and Forensic Investigations
- Coverage for Regulatory Fines and/or Penalties Associated with Data Breaches
- Costs and Liability arising out of Cybersecurity Incidents not involving Data Breaches
- Business and Contingent Business Interruption
- Cyber Extortion
- Media Liability
- How about after the deal is done? What do we do to maintain a positive cybersecurity risk environment until it is our turn to cash out?
The cost of maintaining a program is minimal compared to not having one or restarting one after it went dormant. Once set up, consider it the cost of doing business. This is the new normal. That said, once the M&A transaction has occurred, that is the best time to reassess the cybersecurity posture of the company, or its key assets.
If the due diligence process was done thoroughly you will have an action plan moving forward, understand the current risks, and have a roadmap of activities to consider for implementation and ultimately protection.
The M&A process is one that many know well, and around the business community most believe they understand every aspect of the process, the pitfalls, and upsides. The point of this white paper is to spark new thinking about the process and insert methods to add maximum value, for a lot less effort and resources than many think possible.
Just as cyber breaches are a new normal in today’s business community, cyber due diligence is upon us, and there is an efficient way to act. It affects the entire ecosystem surrounding any merger, acquisition, investment or leadership change. Tap the experts around you to start thinking about these questions, and take a proactive approach, every time.
About Kevin Hyde
Kevin Hyde is an expert in establishing cybersecurity operational and governance policies for the intelligence community and private industry. He is a career field grade officer in the Marine Corps Reserve and recently served on active duty at the National Security Agency and U.S. Cyber Command. In addition to his technical career, Kevin has utilized his former experience as a spokesman for the Marine Corps by speaking as a cybersecurity expert on multiple panels and conducting executive trainings for various companies. Kevin has a Master’s Degree from Seton Hall University in Strategic Communications and was honored with the designation as one of Philadelphia’s top Veterans of Influence by the Philadelphia Business Journal in July 2016.
About Jack Warnock
Jack Warnock is an M&A pro and a consigliere to CEOs who are exiting their businesses. He will ensure that the outcome is optimal, the best value is achieved, and the transition is smooth, all while you and your team continue to effectively do your day job. Jack is a trusted resource with proven knowledge about how companies work; how ownership changes; how to buy businesses; how companies are sold; and how owners win.
“2016 Cyber Insurance Buying Guide.” Www.aba.com, American Bankers Association, 2016, www.aba.com/Tools/Function/Documents/2016Cyber-Insurance-Buying Guide_FINAL.pdf.
“2017 Cost of Data Breach Study: United States.” Ponemon Institute, 2017, https://www.ponemon.org/blog/2017-cost-of-data-breach-study-united-states
“Cyber due diligence Protecting M&A value.” Www.grantthornton.co.uk, Grant Thornton, 2017, www.grantthornton.co.uk/globalassets/1.-member-firms/unitedkingdom/pdf/publication/cyber-due-diligence-protecting-m-a-value.pdf.
“Cyber Security in M&A.” Freshfields Bruckhaus Deringer LLP, July 2014, www.freshfields.us/globalassets/services-page/global-investigations/publicationpdfs/01214_bs_mbd_media_ma-cyber-security-report_web_aw.pdf.
“CYBERSECURITY AND THE M&A DUE DILIGENCE PROCESS.” Nyse.com, New York Stock Exchange, 2016, www.nyse.com/publicdocs/Cybersecurity_and_the_M_and_A_Due_Diligence_Process.pdf.
“Don’t drop the ball Identify and reduce cyber risks during M&A”, Www.deloitte.com, Deloitte Development LLC, www2.deloitte.com/content/dam/Deloitte/us/Documents/mergers-acqisitions/us-madont-drop-the-ball-Identify-and-reduce-cyber-risks-during-m-and-a.pdf.
“Akorn Shares Crash 34% After Fresenius Warns on Takeover Amid Data Breach Probe” www.thestreet.com/story/14501660/1/akorn-shares-plunge-after-fresenius-warns-on-takeover-amid-data-breach-probe.html
Helloquence on Unsplash
Rawpixel.com on Unsplash
- Exit Advice from “Exits – Traps and Triumphs” CEOs - June 21, 2018
- Buying In – Cybersecurity Risk and Due Diligence - April 17, 2018
- A Panel of CEOs Speaking About Exits to CEOs and Business Owners - March 28, 2018
- What Worries CEOs When They Exit - January 1, 2018
- Cyber Security Problems in M&A – Real, Not Imagined, and Hitting Hard - July 17, 2017
- Cyber Security Summits – Great Content; Deep Learning; Excellent Connections - May 26, 2017
- The CEO at Exit: Prepare; Talk; Listen; Empathize - May 5, 2017
- Be Prepared! Because “Startups get bought, not sold” - November 20, 2016
- Cyber Security Before, During and After Your Sale – Part II - October 7, 2016
- Cyber Security Before, During and After Your Sale – Part I - September 4, 2016