Let’s say Company X wants to purchase Company Y. If Company X is smart, it will not only be looking at Company Y’s financials, structure, culture and more to determine value and strategic fit. Company X will also be taking a long, hard look at Company Y’s cybersecurity posture.
How often do the Company Xs of the world — the buyers — take that long, hard look at a seller’s cybersecurity capabilities these days? The short answer is, not often enough. Due diligence is too often treated as a defensive strategy that provides a broad, high-level view of the investment — with cybersecurity often left out in the cold.
What’s more, when the buyer does look, it often doesn’t look carefully enough. The target may have spent a lot of money on high-end cybersecurity tools and technology. That’s attractive, right? Sure — if it has been properly implemented, well-maintained, regularly updated, and kept in compliance with all applicable laws and regulations. If it hasn’t, the target may be badly compromised. Post-deal, it will also cost the buyer significant time and money to fix those problems.
The bottom line here is obvious: in mergers and acquisitions, due diligence needs to serve as an offensive strategy that includes a rigorous cybersecurity assessment, to make sure the buyer gets the value it’s paying for. And, before pursuing a divestiture or sale, the seller can also examine its own cyber practices to help reduce time and costs, avoid surprises and sweeten the deal.
The fundamental questions for buyers during due diligence, then, are “What cybersecurity measures does the target have in place?” and “Are they the cybersecurity measures that should be in place?” Too many companies don’t ask these fundamental questions, and those that do often lack the perspective needed to assess the risk and potential improvement or remediation cost that they’re taking on.
“The single most important thing buyers can do is to get out in front of this problem,” says Micky Houston, Deal Advisory’s Information Technology lead at KPMG. It is vital to establish the maturity of cybersecurity systems of a target before the purchase takes place and examine if the company performs penetration testing, security compliance process validation and regulatory control reviews — all of this and more needs to be done.”
Houston adds, “While cyber systems are undergoing those tests, a number of additional factors need to be assessed: the security policy already in place, the structure of the security architecture, the limitations and safeguards for local and remote access, the frequency with which maintenance and updates are applied, who conducts them, and how the client identifies and deals with red flags.”
This level of due diligence behooves prospective sellers too, who can ultimately maximize their sale price by examining their cybersecurity capabilities. Demonstrating rigorous cybersecurity preparation is a sign of the company’s maturity and instills confidence in buyers — making the company more marketable and delivering more value to the buyer.
“When pursuing a transaction, sellers may also carry out their own deep analyses to detect vulnerabilities and identify problematic areas beforehand, ensuring that they have the security processes to assure compliance and a sound structure to perform updates. A seller’s cybersecurity analysis should not only recognize present dangers but also be robust enough to predict and evolve to stay ahead of disasters that could happen during the integration phase.”
Houston adds, “Sellers should consider not just how secure systems are currently, but also how secure they will remain post-close.’”
The purpose of due diligence has always been to decrease risk for both parties involved in the transaction process, identify value creation strategies that will increase returns, and ultimately, help quantify overall value. When companies include cyber security as a key piece of their due diligence processes, buyers can find the targets’ vulnerabilities and strengths to ensure they get the post-close value they’re looking for, and sellers can enhance their marketability by examining their own systems and finding their own weaknesses.
The most dangerous thing two merging companies can have is a false sense of cybersecurity.