Cybersecurity in deals

Domenic:
Welcome, and thank you for joining us. My name is Domenic Marino and I'm the National Deals Leader for PwC Canada. I'm here today with Jen Johnson, who is our Strategy and Transformation Leader, as well as Danny Garwood, who is a Partner in our Cybersecurity, Privacy, and Financial Crimes practice. Our objective today is to provide you with relevant information and guidance around cybersecurity in deals, including effective due diligence, so you can make informed decisions within your organization. We'll start by discussing how to protect your organization for cyber crime when a deal is announced. We'll then explore how having a strong cybersecurity profile can be part of your long-term strategy. We'll also dive into why now is the right time to start considering cyber investments as a way to create new value. So let's start with cybersecurity. Danny, can you walk us through some of the cyber risks that companies exposed to once a deal has been announced?

Danny:
Sure, Dom. Once a deal's announced, there are a number of things to consider from a cyber risk perspective. For one, one of our deeper pockets become involved. It definitely makes the acquired entity a more interesting target for cyber criminals. Depending on the nature of the deal, there may be an integration between the acquirer and target that takes place, and when they're inconsistencies, cyber risk tends to be higher. So even though an organization may have the good overall cyber maturity, they may be acquiring an organization that doesn't, and this can become an important risk for them. That's why, as part of the integrated due diligence process, it's important to get early line of sight on some of these bigger red flags from a cyber perspective. And then post deal, we're seeing many buyers do a deeper dive cyber assessment, which really enables them to understand some of the key issues, and put an action plan in place to start closing any gaps.

Domenic:
That makes a lot of sense. Thanks, Danny. Jen, just shifting focus, how can having a stronger cybersecurity profile be part of a long-term strategy for investors?

Jen:
It's a good question, Dom, and I'd really like to start by pulling on the thread that Danny raised. We are seeing a very significant increase in cyber during the due diligence phase. Really, it's about going in eyes wide open on a cyber posture of the company that's looking to be acquired, and the potential investments that you may need to make in order to bring it up to a reasonable posture and maturity. Additionally, many investments often have an integration play with an existing business, or there's an opportunity to significantly grow or run that business in a much more profitable way, all of which have a critical technology component to it, right? When there's a technology investment and focus, cybersecurity needs to be top of mind. It's critical in helping to build trust and confidence in your stakeholders of that business. This can also result in increased value. Whether you decide to hold or exit the business in some way, and we'll come back to that later, it's key to look at cyber as one of your key levers in your value creation story, and to make sure your overall strategy is clear and supported.

That said, there are different strategies based on the type of deal that you might be doing. We've seen some PE firms that are taking more of a buy, hold, and then sell the investment approach, and some more proactive views of cybersecurity. For example, private equity firms and pension firms that are not only looking at their cyber posture of themselves at the fund level, but also looking at cyber risk at the individual portfolio company, setting minimum expectations of what good security looks like, and then regularly checking in with those assets to make sure that they are remaining minimally secured, again, based on the business model that they're running in and the investment objectives that they have. The objective here is to lower the risk of the asset, but to support their investment strategy to continue to grow and or properly integrate that business with their existing business models.

Domenic:
Yeah, thanks Jen. Those are great points. Danny, then if we think about cybersecurity and M&A, investors are starting to have an increasingly protective lens on their assets. Why do you think this is top of mind?

Danny:
Yeah, investors are definitely starting to have a more protective lens on their assets, and this is why we're really seeing an uptick in cyber due diligence as part of a broader integrated due diligence, and that's because it's one of the major risks to evaluate. But the due diligence process also provides some visibility to the buyer or investor to really understand what investments need to be made to address some of those cyber gaps post deal. Jen touched on this a minute ago, but many organizations are going through a digital transformation or digital evolution, and this is often a differentiator, which may be the reason for the acquisition in the first place. Whenever there's an increased reliance on technology, there's also heightened cybersecurity risk.

In addition to that, we're also seeing more insurance companies asking questions about cyber risk when underwriting deals. They want to know how buyers are gaining comfort with cyber risk. More and more we're seeing private equity and pension, pensions especially, really have a designated person within the organization that's looking for cyber risks across the portfolio, and they're looking at it and determining where they're going to be making those investments. So all of these are factors for why cybersecurity is top of mind in M&A.

Domenic:
Yeah. Thanks, Danny. And Jen, I've got one more for you, and I want to touch on something that you mentioned a little bit earlier and really just expand on this concept of cyber and value creation story. So how can investors broaden their perspective to include value creation during a deal?

Jen:
Yeah, it's an interesting area, and I think it's an area that's evolving quite a bit right now. And just tying back to what Danny was talking about and the investment strategy, almost every business that we know out there today has some sort of a digitization or transformation program, and cybersecurity needs to be and should be a central focus within those programs. The risk of getting it wrong is very significant and can very quickly erode trust with stakeholders. But from a value creation perspective, what we're also seeing is a number of organizations recognizing that they don't have unlimited pockets and they need to be smart about their cyber investments, right? For a lot of organizations, cyber budgets have continued to grow quite significantly year on year for a number of years now, and so a lot of folks really starting to say, "How do I get smarter with the spend I have in this key area?" So one area that we're starting to see more is around cyber risk quantification, and what that allows you to do is actually use modeling to help you identify your cyber risk exposure.

And then if you evaluate that exposure and put a number to it, you can then determine whether it's a number that you're comfortable with, i.e. are you comfortable with that rate exposure? And if it is too high, which it often is, then you can actually model out if I make certain improvements, and I can select the improvements, then I actually can see the reduction in that risk exposure around cyber. So it allows you to do some if then scenario planning, and help you get really crisp and focused on where you're going to put those cyber investments to maximize the value that is created through those. So in one example, we were working with a private equity firm and they bought an asset in a inherently high risk business sector, and we did a cyber assessment around that asset about 90 days after they closed the deal. And unfortunately, results were a bit subpar from what we would've expected for such an inherently high risk business.

That did cause the buyer to go back and re-look at their initial assessment of the value of the business and where it was going to go in the future. However, there's good news in this story too. They also started looking at cyber risk quantification. They used that to help them guide where they would make their cyber investments to maximize the value that they would create for the organization and reduce their cyber exposure. So now we're a little over 12 months later, and they're actively trying to enhance their cyber posture to restore that value that was perceived to have been eroded and actually create value now as they move ahead. So I think a good news story in the end. But if you get cybersecurity investments right, it can prove very beneficial in creating the value that you want in the firm. And again, a lot of these investment strategies are based on integrating to an existing operation, that means technology interfaces, it means growth through heavy digitization, and cybersecurity is absolutely critical in making those ambitions become reality.

Domenic:
Hey, Jen and Danny, thank you both for your insights today. I especially liked how you touched on both how you can play defense, but also offense when thinking about cyber in an M&A environment. And also thank you to our audience for listening. And if you're looking for more info and how you can get started on your cybersecurity strategy in deals, our contact info could be found at the bottom of this page, and we'd be happy to hear from you.