Cyber security programs shown to have tangible value in M&A assessments

(ISC)² – the world’s largest non-profit association of certified cyber security professionals – has just issued the findings from its detailed report entitled ‘Cyber Security Assessments in Mergers and Acquisitions’, which is based on a survey of 250 US-based professionals with mergers and acquisitions (M&A) expertise.

The goal of the study was to discover how cyber security programs and breach history factor into the monetary valuation of companies during a potential purchase. 96% of respondents indicated that cyber security readiness factors into the calculation when they’re assessing the overall monetary value of a potential acquisition target.

Survey respondents unanimously agreed that cyber security audits are not only commonplace, but are actually standard practice during M&A transaction preparation. The research also found that the results of such due diligence can have a tangible effect on the outcome of a deal, both in terms of overall value and even whether a deal is completed or not.

77% of M&A experts have recommended one acquisition target over another based on the strength of a cyber security program, while 57% of survey respondents said an acquiring company they work with has been surprised to learn of an unreported data breach during the audit process. Nearly half (49%) of all respondents indicated that they had witnessed a merger or acquisition agreement fall through as a result.

52% of respondents indicated that the share value of publicly-traded clients has been negatively affected as a result of an acquired company’s post-acquisition data breach.

Facing unprecedented challenges

“Businesses are facing unprecedented challenges in protecting their digital infrastructure, and indeed that of their customers, because of the sophisticated, targeted and voluminous attacks that can be launched against them at any time,” said Wesley Simpson, COO at (ISC)2. “Our report indicates that it’s not simply whether or not a company has suffered a data breach that’s most important to potential acquirers, but how the breach was remediated and the steps taken to improve processes. Business leaders and financiers now understand that sound cyber security practices are critical to the bottom line and having the right skilled professionals in place to implement them is a solid insurance policy against devaluation.”

86% of the respondents said if a target company publicly reported a breach of customer or other critical data in its past, it detracts from the acquisition price assigned. However, if that breach was satisfactorily addressed and fixed, and any potential fines already paid, 88% said it would minimise the negative impact to the overall valuation.

When it comes to the actual infrastructure associated with cyber security programs, 95% of respondents indicated that it’s a tangible part of the calculation of value. 82% said the stronger the infrastructure, including soft assets such as risk management policies and security awareness training programs, the higher the value assessed. 52% said that, if the audit reveals weak security practices, the cyber security program as a whole is considered a liability. 63% of respondents stated that any information technology tools are factored-in as assets.

While already a ubiquitous part of the audit process, survey respondents foresee cyber security playing an increasingly prominent role moving forward. While 54% already consider cyber security audits to be vital to the M&A process, 42% believe the importance will only increase over the next two years.

*For the full report visit:

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts