Earlier this week, (ISC)² – the world’s largest non-profit association of certified cybersecurity professionals – released the findings from its Cybersecurity Assessments in Mergers and Acquisitions report, which surveyed 250 U.S.-based professionals with mergers and acquisitions (M&A) expertise. The goal of the study was to discover how cybersecurity programs and breach history factor into the dollars and cents valuation of companies during a potential purchase. 96% of respondents indicated that cybersecurity readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target.
It has been reported that survey respondents unanimously agreed that cybersecurity audits are not only commonplace, but are actually standard practice during M&A transaction preparation. The research also found that the results of such due diligence can have a tangible effect on the outcome of a deal, both in terms of overall value and even whether a deal is completed or not. The report’s findings highlight the importance of developing and adhering to sound cybersecurity strategies and policies in order to maximise organisational value.
In the age of digital transformation where technology plays an increasingly significant role in business, the consequences of a poor cybersecurity posture have never been more severe—from breaches that result in loss of customer data and IP to regulatory fines and reputational damage. For companies involved in M&A transactions, the stakes are even higher as deal sizes and stock prices can be impacted significantly by an ill-timed security incident.
For acquiring companies, it is critical to perform a thorough evaluation of technical and cybersecurity risk factors as part of the due diligence process. Failure to do so can result in the acquiring company inheriting unreasonable technology and security debt, imminent legal or regulatory obligations, and a tarnished brand. Specifically, the acquirer should be vetting that the target entity has well-established processes and controls in place for developing, deploying and maintaining their technology securely. They also need to ensure that the open source components used to build the technology, which typically exceed the proportion of proprietary components, are sufficiently secure, up-to-date, and free of software license conflicts or violations.
Conversely, it’s in the best interest of companies angling for an acquisition exit to anticipate and proactively prepare for technical due diligence audits by making sure these processes and controls are in place—ideally by building security into the fabric of their organisation from the outset, rather than just slapping on some Band-Aids prior to an acquisition.