An acquirer should expect to know the details of any significant cyber events – not just breaches – and their impact on the target company. This includes incidents that may not have been shared publicly but still affected the company. What cybersecurity controls were in place at the time, and how have they changed?
How a company protects its data and intellectual property and the potential for future theft are crucial for confirming its value in an acquisition. An acquirer needs to know those controls are adequate or understand what investment will be required to improve them with the current cyber risk profile of the target.
This assessment also must consider the target’s vendors and contractors – each of which could create security gaps. An acquirer should be aware of any agreements in which third parties handle company or customer sensitive data, critical IT business processes, payments or other technology work.
And don’t forget risks around employees who may be disgruntled or worried about losing their jobs due to a transaction. More than unknown hackers or competitors, current and former employees were cited as top sources of security incidents in PwC’s latest Global State of Information Security Survey.
The critical information assets at risk of affecting deal value have expanded along with the cyber threats. Details about a company’s customers still can be valuable if stolen in bulk, while proprietary technology, application source code, valuation models for future business development, product formulas or other intellectual property might command a high price if they’re truly unique.
But businesses now also face new, downstream risks, thanks to increased connectivity within companies and with customers. For instance, today’s manufacturing supply chain is digitally interconnected – using process automation, specialty robotics, suppliers monitoring raw material levels in real time and logistics providers tracking the delivery of finished goods to customers or markets globally. This digital supply chain has incrementally increased the cyber attack surface and is only as strong as each link.
These risks can even extend to specific products, with the potential for firmware to be compromised at supplier locations. As a result, the primary manufacturer in that situation needs to establish a strong third-party risk program, and these risks should be considered during the deal process.
Even if an acquirer is confident that its exposure to threats is minimal, cyber issues can affect deal value in other ways. Beyond the question of weak vs. strong, cybersecurity diligence needs to determine how similar or different the target’s systems and protocols are from the acquirer.
This alignment or lack thereof can be crucial in strategic acquisitions and large deals. If cybersecurity integration activities aren’t identified and factored into the transaction on the front end, gaps between IT, cybersecurity and other business operations can slow integration and add costs, cutting into the efficiency and financial gains from the deal.
The overall deal structure has a big impact on how to plan for cybersecurity. The buyer has several operating models to consider from a deal structure perspective and could choose to continue the legacy programs at the target – for the short term or indefinitely. The buyer can also choose to integrate the companies and take the best of breed from the legacy security capabilities. Without careful and timely planning, unexpected costs could inhibit synergies and the realization of the deal’s benefits.