Cyber security within M&A has gone through a momentous change over the last 5-6 years. Initially investors were primarily worried about the risk of a security incident due to poor security controls –major red flags and cyber security breaches. Mergers and Acquisition buyers were therefore primarily concerned about whether a business had been breached, or whether there were significant issues to forestall them from buying a company.
Today, JJ Gericke, Senior Manager at ThreeTwoFour says this has changed over the last 5 years. “Investors are now considering the financial impact of poor cyber security more carefully because poor cyber security requires significant investment,” he explains. Subsequently, the mindset of investors has evolved from concentrating on cyber security incidents and the cost of breaches to “now being focused on the cost of building a full purpose security function that can support the growth of the business,” he says. This change has led to cyber security being seen as a key business process – viewed in the same way as Human Resources, tax, pensions, and IT.
In other words, it’s no longer about whether a cyber security incident may or may not happen. There is a need for a standard business capability that requires investors to pay equal attention to the other more commonly recognised business capabilities and processes.
Gericke says this has also “resulted in more tech-enabled due diligence where there is a move to supplement ‘traditional’ due diligence with tech-enabled solutions to scan networks and conduct dark web investigations to get a better understanding of what is being acquired.”
Changing due diligence
In contrast, he argues that tech-enabled due diligence reduces contact with management by using non-invasive tools to help form a better picture of the business you are acquiring. Tech-enabled due diligence is more efficient. A scan and analysis of the dark web for incidences of previous breaches related to the target business can be executed. Open source threat intelligence scans can also be used to identify poor security hygiene that requires remediation after acquisition.
He therefore comments: “Tech due diligence is good for two reasons: one it can replace upfront red flag due diligence where time with management is already limited, reducing the burden on management teams; and two, it supplements traditional due diligence by identifying issues that aren’t always obvious in document reviews or workshops with management.”
The impact of a cyber attack
The impact of a cyber attack on an M&A deal is highlighted in Flight International magazine’s article, ‘Spirit AeroSystems secures another discount on Asco purchase’ of 31st October 2019. Jon Hemmerdinger writes: “Spirit AeroSystems will now pay $420 million to purchase Belgium aircraft component shop Asco, having secured a further $184 million discount due to ongoing fallout from a cyberattack against Asco earlier this year.”
Putting aside financial controls and looking at cyber security in the context of investment, there is a need to analyse the core drivers of value for the business, and then there is a need to protect them. Gericke offers an example: “If you are looking to invest in an online retailer, the key things to assess are whether the platform and the supporting supply chain is prepared to deal with Distributed Denial of Service (DDoS) attacks, as well as how they protect customer and payment data; or, if you are investing in a pharmaceutical company, the focus needs to be on control and protection of Intellectual Property (IP) and research data because that is the core driver of value for the investment.”
On the flipside, sellers now have to think more carefully about how they prepare their cyber security capabilities for due diligence because buyers have significantly increased their scrutiny of companies’ cyber security. Sell-side teams are therefore working hard to prepare better documentation, better roadmaps, and cyber security budgets. Without these being adequately prepared, a business can end up being undervalued.
He explains why: “If a buyer can’t clearly see the value and the plan associated with cyber security, they may take a risk-averse view and ensure that they have built in contingency in their own investment plan, thus devaluing the business.”
GDPR: Catalyst for change
The European Union’s General Data Protection Regulation (GDPR) has functioned as a catalyst for investors’ focus on cyber security and data management. The fines for data breaches can be damaging financially and from a brand reputation perspective. Under GDPR the EU’s data protection authorities can impose fines up to 20m euros (roughly $22,508,400), or 4 percent of worldwide turnover for the preceding financial year—whatever is higher. Post-Brexit, the UK maintains its own version of GPDR.
Before GDPR, he explains that there wasn’t really anything to highlight the need to protect data and to pay serious attention to cyber security. Yet the threat of being fined under GDPR for data breaches, and the costs of cyber security incidents has forced investors to start thinking about cyber security more seriously.
BBC News revealed on 30th October 2020: ‘Marriott Hotels fined £18.4m for data breach that hit millions.’ Gericke summarises the article: “Marriot bought Starwood and then after acquisition discovered a breach that occurred before acquisition which cost them £18.4m in fines, plus what they spent on remediating the issue and reputational damage.”
Business growth with cyber security
Conversely, private equity investments in cyber security can lead to the growth of a business in new markets, and it may enable a company to add new services and products. Such investments may also permit a company to undertake large scale digital transformation initiatives. “In other words, you need to ensure that you scale securely by embedding cyber security into the value journey for the asset,” he says.
Investors should focus on the potential security threats to an organisation as no organisation’s cyber security is ever going to be perfect. However, it does need to be as tough as it can be to prevent cyber attacks. Investors therefore need to understand the risk that they will acquire, and they need to assess whether the cyber security risks fall within their own risk appetite.
He adds: “Some investors may be comfortable with acquiring a business with poor security and then investing to build a fit-for-purpose security function. Others may be more risk-averse and don’t want to acquire a business whose security function needs transformation. Regardless, investors need to understand the threats to the business if they are to make informed decisions.”
“Also, given that the cyber security threat landscape is continually changing, ‘sufficient or good security’ today will be outdated tomorrow as threat actors find new ways of exploiting targets. Therefore, concerted effort and focus is needed on security to ensure that it remains fit-for-purpose during the holding period of the asset.”
Investment sustainability
With climate change very much on the agenda after the UN Climate Change Conference (COP26) in Glasgow, Scotland, investors are also placing an increasing emphasis on Environmental Social Governance (ESG), which can play as much of a role in determining the value of a company as cyber security can. Most investors want to ensure that their investments are sustainable – and not just from a financial perspective.
Gericke explains how ESG and cyber security fit together in the picture: “In short, in ESG terms, cyber security has the biggest impact on the social and governance pillars. If we look at social, the relationships that the business created with key stakeholders such as clients and consumers can suffer considerable damage if the business is subjected to a cyber security incident, and a breach of personal and financial data can have a detrimental impact on people’s social and financial welfare.”
“Additionally, attacks on critical infrastructure such as energy suppliers and their supply chains will have a direct impact on people’s day-to-day lives. With regards to the governance pillar, the Board is responsible for the implementation of risk management controls to safeguard the business. A lack of consideration of cyber security risks, as well as management and investment in cyber security can result in security incidents which will call into question the governance approach and the processes adopted by the business.”
The trouble is that cyber security is underestimated as an ESG risk. Yet even the Covid-19 pandemic has raised the profile of cyber security – including in the minds of consumers. With an upsurge in cyber –attacks, and with many more people working from home than before the pandemic, it has underlined the need for more stringent privacy and data protection controls. This has led to the need for more socially acceptable cyber security practices. With digital transformation in particular, there is an increasing need to protect people’s digital identities as part of a sustainable investment.
The evolution of cyber security in M&A is focus-shifting. No longer is it just about the risk of cyber security breaches. It is now about having to spend more money to build cyber security. Gericke therefore concludes that the next phase is to assess how cyber security impacts ethical investments. So, the lens is on the manner in which buyers assess cyber security in businesses as part of M&A, which he predicts will change again in the future.
By Graham Jarvis, Freelance Business and Technology Journalist
