Mechanisms that mitigate cyber risks: PwC

Managing access and negotiating the transition

As much as they’d want full transparency, acquirers often don’t have direct access to all of the information that’s crucial for determining a target’s real value. To gain visibility into key data and other material, an acquirer and target can sign a non-disclosure agreement (NDA) and allow an independent consultant to evaluate the target and provide recommendations without sharing confidential details or proprietary information. An NDA may even be required – instead of optional – for areas such as technical testing or product code reviews.

Further protection for acquirers can come through transition services agreements (TSAs). TSAs are common in deals, but they only recently have started covering cybersecurity issues. Through a TSA, an acquirer and target can negotiate how the target will manage cybersecurity during the transition and the conditions under which the responsibility will shift to the acquirer. The latter can be crucial if due diligence has revealed any significant cyber issues that could decrease deal value.

Mining other intelligence

Beyond tools that are part of the deal process, companies can seek information elsewhere. Various external streams of data and information can be analyzed to produce reliable intelligence that can reveal potential risks. For instance, searching the “dark web” could unearth employee credentials and communications or product design documents that provide evidence of a breach or potential impairment of critical assets. It may also provide indicators of yet-to-be-detected breaches or attempted breaches.

Broader intelligence on cyber issues is available through information sharing and analysis centers and organizations (ISACs and ISAOs). These groups allow companies to share with each other information on digital threats and ways to combat them. ISACs originally were created in a few industries, most notably financial services and aerospace and defense. ISAOs build on the concept by spanning sectors to share expertise and experiences among broader communities of interest.

Gaining better insight into current cyber issues can help an acquirer know what to look for in assessing a target and determining its value. While interest in ISAOs has grown in sectors such as healthcare and energy, others that are highly competitive or have significant intellectual property – such as pharmaceuticals and medical devices – may be wary of substantial collaboration. That could be one reason why ISACs and ISAOs haven’t yet played a regular role in helping acquirers calculate a target’s value.