(ISC)² – the world’s largest non-profit association of certified cyber security professionals – has just issued the findings from its detailed report entitled ‘Cyber Security Assessments in Mergers and Acquisitions’, which is based on a survey of 250 US-based professionals with mergers and acquisitions (M&A) expertise.
The goal of the study was to discover how cyber security programs and breach history factor into the monetary valuation of companies during a potential purchase. 96% of respondents indicated that cyber security readiness factors into the calculation when they’re assessing the overall monetary value of a potential acquisition target.
Survey respondents unanimously agreed that cyber security audits are not only commonplace, but are actually standard practice during M&A transaction preparation. The research also found that the results of such due diligence can have a tangible effect on the outcome of a deal, both in terms of overall value and even whether a deal is completed or not.
77% of M&A experts have recommended one acquisition target over another based on the strength of a cyber security program, while 57% of survey respondents said an acquiring company they work with has been surprised to learn of an unreported data breach during the audit process. Nearly half (49%) of all respondents indicated that they had witnessed a merger or acquisition agreement fall through as a result.
52% of respondents indicated that the share value of publicly-traded clients has been negatively affected as a result of an acquired company’s post-acquisition data breach.
Facing unprecedented challenges
“Businesses are facing unprecedented challenges in protecting their digital infrastructure, and indeed that of their customers, because of the sophisticated, targeted and voluminous attacks that can be launched against them at any time,” said Wesley Simpson, COO at (ISC)2. “Our report indicates that it’s not simply whether or not a company has suffered a data breach that’s most important to potential acquirers, but how the breach was remediated and the steps taken to improve processes. Business leaders and financiers now understand that sound cyber security practices are critical to the bottom line and having the right skilled professionals in place to implement them is a solid insurance policy against devaluation.”
86% of the respondents said if a target company publicly reported a breach of customer or other critical data in its past, it detracts from the acquisition price assigned. However, if that breach was satisfactorily addressed and fixed, and any potential fines already paid, 88% said it would minimise the negative impact to the overall valuation.
When it comes to the actual infrastructure associated with cyber security programs, 95% of respondents indicated that it’s a tangible part of the calculation of value. 82% said the stronger the infrastructure, including soft assets such as risk management policies and security awareness training programs, the higher the value assessed. 52% said that, if the audit reveals weak security practices, the cyber security program as a whole is considered a liability. 63% of respondents stated that any information technology tools are factored-in as assets.
While already a ubiquitous part of the audit process, survey respondents foresee cyber security playing an increasingly prominent role moving forward. While 54% already consider cyber security audits to be vital to the M&A process, 42% believe the importance will only increase over the next two years.
*For the full report visit: https://www.isc2.org/Research/The-ROI-of-Sound-Cybersecurity-Programs