Photo Source: Yenwen Feng – The slogan on the remodeled wall of Tiffany on Wall St

You are considering investing or acquiring a company and you have a team of advisors evaluating the risks.

The most critical function of any merger or acquisition team is to properly assess the value of a target company. 

Do you know what to assess about their cybersecurity soundness?

Cyber security in the M&A process is about more than just keeping sensitive data safe. Acquirers must assess whether their target carries an acceptable level of cyber risk in the same way they would analyze its financial position. A thorough knowledge of a business’s cyber security is equally important during the integration phase. 

The Security Team plays an important role on the merger and acquisition team. The security team has a responsibility to mitigate risks and protect the interest of the company, its owners and shareholders. In support of this obligation, security, as a member of the merger or acquisition team, helps the team make informed decisions and execute a successful transaction. 

Recently Freshfields did a survey of 214 global deal-makers from corporate, financial institutions, investors and legal services providers (63 per cent from North America, 34 per cent from Europe and 3 per cent from the rest of the world) on their awareness of cyber risk and how it affects their working practices. Their results show that 78 per cent of respondents believe cyber security is not analyzed in great depth or specifically quantified as part of the M&A due diligence process, despite 83 per cent saying they believe a deal could be abandoned if previous cyber security breaches were identified and 90 per cent saying such breaches could reduce the value of a deal.

Investment professionals need to gain access to material information about cyber risks and events. Unfortunately, the information available to investment professionals is inadequate or unclear. Companies don’t disclose or account for important information about cyber risks and events, either because they do not know what is happening on their networks, or because they are worried about the impact that disclosure will have on their reputation and valuation.

Recently, the Securities and Exchange Commission issued guidance addressing this challenge by requiring publicly traded companies to disclose such information. 

In a recent SEC cybersecurity roundtable, SEC Chair Mary Jo White stated that cyber-threats are extraordinary, of long-term interest and surpass terrorism in the seriousness of the risks they pose to the U.S. She noted the SEC’s basis for jurisdiction as falling within three areas: mandates relating to the integrity of market systems, the need to protect customer data and the need to address the disclosure of material information on the part of public companies. She highlighted that the SEC will act with “appropriate haste” to consider what additional steps it should take.

For investment advisers and those who invest with them, the program raised a series of fundamental issues:

1. Planning day-to-day operations in this rapidly changing landscape where cyber-threats are persistent, growing and often undetected for long periods of time? 

2. When to report incidents, both to senior management and to others such as business partners, etc., which include enforcement personnel, regulators and industry participants as well as customers and investors whose data may have been compromised? 

3. Does a firm know if an incident has occurred? 

The guidance has brought about some disclosures and the new guidance will eventually be even more effective, but investment professionals must also be equipped to collect information through their own diligence on cyber issues.

Companies are losing valuable trade secrets and business intelligence at a staggering rate, with consequences for future revenues and earnings. Intellectual property and other proprietary are the crown jewels of any business. Loss of information about a proprietary information or process to a competitor could reduce profits by hundreds of millions of dollars per year.

Also, corporate transactions that change IT infrastructure and processes can create gaps in information security systems, polices, procedures and safeguards.

Ultimately, investment professionals need to know how to analyze risks and events and determine their impact on valuations and investment decisions.

At a minimum, an M&A cyber security assessment must understand the financial implications of cyber risk. The outcome of the assessment should help investment professionals assess the impact of cyber risks and events on their work.


Posted by:

Pamela Gupta