Cybersecurity Programs Shown to Have Tangible Value in M&A Assessments
October 2019 by (ISC)²
(ISC)² released the findings from its Cybersecurity Assessments in Mergers and Acquisitions report, which surveyed 250 U.S.-based professionals with mergers and acquisitions (M&A) expertise. The goal of the study was to discover how cybersecurity programs and breach history factor into the dollars and cents valuation of companies during a potential purchase. 96% of respondents indicated that cybersecurity readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target.
Survey respondents unanimously agreed that cybersecurity audits are not only commonplace but are actually standard practice during M&A transaction preparation. The research also found that the results of such due diligence can have a tangible effect on the outcome of a deal, both in terms of overall value and even whether a deal is completed or not.
The report’s findings highlight the importance of developing and adhering to sound cybersecurity strategies and policies in order to maximize organizational value. Among the major findings:
77% of M&A experts have recommended one acquisition target over another based on the strength of a cybersecurity program
57% of survey respondents said an acquiring company they work with has been surprised to learn of an unreported data breach during the audit process; Nearly half (49%) indicated that they had witnessed a merger or acquisition agreement fall through as a result
52% of respondents indicated that the share value of publicly-traded clients has been negatively affected as a result of an acquired company’s post-acquisition data breach
“Businesses are facing unprecedented challenges in protecting their digital infrastructure, and that of their customers, because of the sophisticated, targeted and voluminous attacks that can be launched against them at any time,” said Wesley Simpson, COO, (ISC)2. “Our report indicates that it’s not simply whether or not a company has suffered a data breach that is most important to potential acquirers, but how the breach was remediated, and the steps taken to improve processes. Business leaders and financiers now understand that sound cybersecurity practices are critical to the bottom line and having the right skilled professionals in place to implement them is a solid insurance policy against devaluation.”
When Breaches Happen
86% of the respondents said if a target company publicly reported a breach of customer or other critical data in its past, it detracts from the acquisition price assigned. However, if that breach was satisfactorily addressed and fixed, and any potential fines already paid, 88% said it would minimize the negative impact to the overall valuation.
How Value is Assessed
Of the 96% of respondents who indicated that cybersecurity readiness is a factor in the valuation assessment, 45% said a standard plus/minus value is assigned to a cybersecurity program in a pass/fail manner. 53% said the value that the cybersecurity program represents can range widely based on the specifics of the program.
When it comes to the actual infrastructure associated with cybersecurity programs, 95% of respondents indicated that it is a tangible part of the calculation of value. 82% said the stronger the infrastructure, including soft assets such as risk management policies and security awareness training programs, the higher the value assessed. 52% said that if the audit reveals weak security practices, the cybersecurity program as a whole is considered a liability. 63% of respondents said that any information technology tools are factored in as assets.
While already a ubiquitous part of the audit process, survey respondents foresee cybersecurity playing an increasingly prominent role moving forward. While 54% consider cybersecurity audits to be vital to the M&A process already, 42% believe the importance will only increase over the next two years.
About the Report Methodology
Results presented in this report are from an online survey conducted by (ISC)2 and Market Cube in December 2018. The total respondent base of 250 U.S.-based professionals is responsible for evaluating and recommending mergers and acquisitions targets for their company or clients. 47% of respondents were from organizations with 250 employees or fewer while 53% were from those with more than 250 employees. One third of respondents were from companies with more than 1,000 employees.