Cyber Due Diligence: A Must, Regardless of Environment
If cybersecurity breaches can happen to large companies, smaller ones with fewer protections are definitely at risk—and no industry is immune.
What do the acquisitions of Starwood Group by Marriott and Whole Foods by Amazon have in common? Both experienced cyberattacks shortly after the acquisitions were complete and failed to uncover data breaches that occurred before purchase. These companies are not alone.
And if breaches can happen to behemoths, smaller companies with fewer protections in place are definitely at risk. According to RSM US’s 2019 NetDiligence Cyber Claims Study, of the more than 2,000 cyber insurance claims filed between 2014 and 2018, 96% came from small to medium-sized businesses with less than $2 billion in revenue.
While certain industries that handle sensitive personal information, including health care, financial services and retail, may see a higher incidence of data breaches, no industry is immune. If security events disrupt business operations, customers stop doing business with the organization, which leads to a significant loss of revenue.
Today, this trend is not unknown to deal-makers. Most investors have faced one or more cybersecurity incidents in their investment or portfolio companies. If the acquired company faces a security breach during the holding period, chances are the company will not command the desired multiple upon exit and will jeopardize the overall investment objectives.
Cyber due diligence will help buyers and sellers alike in understanding the critical assets from a data, infrastructure and brand reputation perspective; which threat-actors may be motivated to damage the company; the quantified and prioritized cybersecurity risk associated with critical assets; the financial loss exposure from identified risks, including the regulatory penalties if a breach occurred; and the roadmap for addressing security concerns and the price of remediation efforts.
Once you understand the value of your assets and have an idea of the threat-actors, it’s important to identify the different means through which they can damage the business. Finally, you should assess what controls the business has already implemented to manage those risks.
There’s no question that cyber due diligence is paramount, but private equity firms need to make sure they are prepared to deal with threats and potential breaches on a go-forward basis as well. Immediately after closing the deal, the buyer should execute the plan developed through cyber due diligence and remediate those risks that could expose the company to significant losses. Unfortunately, cybersecurity is not a one-time investment that can then be forgotten. A trusted third party should be engaged to set up an enterprise-wide risk governance program to provide visibility into cybersecurity risk throughout the holding period.
In today’s M&A environment, you cannot afford to have data security issues and attacks become distractors and delay closing. While it is easy to be overwhelmed by cybersecurity issues, prudent investors can avoid major financial losses with appropriate cyber due diligence and enterprise risk governance.
Kevin Carpenter is the cybersecurity due diligence leader for RSM US LLP.
Nishi Shah is a director in the Transaction Advisory Services practice of RSM US LLP, specializing in cybersecurity due diligence.
Ryan Duquette is a partner with RSM Canada’s Security, Privacy and Risk Consulting practice.