Watching the major breaches of 2014 in our rear view mirror – Target, Home Depot, JP Morgan Chase, Sony, Anthem, and a host of others – we may have said “better them than me!” But the challenge with digital theft is that there often is no smoke that signals a fire. Instead, a silent, smoldering inferno lurks and will explode upon the reckless. Without due diligence, the victim could be the acquirer in a Merger and Acquisition deal.
In the world of investment, due diligence is the hallmark feature – indeed the requirement – for professional enterprises who provide advice, guidance, and sales of securities. Assessing cyber risk has become a due diligence imperative for professionals in the investing, brokering, and wealth management industries.
The due diligence process varies based on the deal, but typically includes reviewing the financials, reviewing a third party financial audit, assessing the marketing plan, interviewing the management team and considering whether the sales approach is likely to be successful, among other things.
Smart investors will soon require cyber due diligence as part of the acquisition process. Cyber security exposure risks fall into four categories – personally identifiable information, protected health information, intellectual property and cyber destruction. The major breaches of 2014 covered all four categories and will cost these companies millions of dollars in fines, public relations costs, brand damage, recovery efforts and litigation costs.
If making cyber due diligence a standard part of the investment process avoids making one bad deal a year or changes the structure of one or two deals a year, the cost of performing the cyber due diligence on all of the deals is covered. Performing a cyber-risk audit will reduce the investment portfolio’s overall cyber risk and therefore reduce long term exposure and costs.
Consequences of a cyber-breach
Besides the legal, reputational and financial impact of breaches that are mentioned above, there is a very important impact to consider – especially for the Merger and Acquisition and investment industries. Experian, the credit reporting agency, says that 60 percent of the small and medium sized businesses will go out of business within six months of being breached (see here). That is a “bet the farm” kind of risk and to the degree that an investor can reduce that risk at a reasonable cost, that investment likely makes sense. Target has spent well over $100 million recovering from their breach, above and beyond what their cyber insurance covered. For many businesses, even spending $1 million would be fatal.
Financial incentive for cybersecurity due diligence
According to one law firm, based on a survey of global dealmakers, 78 percent of the deal makers stated that they do not conduct cybersecurity due diligence. While this is not completely surprising, it is very troubling that 90 percent of those same deal makers reported that information about past breaches or cybersecurity weaknesses would reduce the sales price of an acquisition (see here). Virtually all of the respondents to this survey believe that cybersecurity weaknesses reduce the value of the investment asset.
This means that investors, by not performing a cybersecurity assessment prior to closing, are assuming excess risk and may be overpaying for an asset and may pose a legal risk to the offeror or advisor.