Cybersecurity threats are a major concern for businesses of all sizes, and that challenge can have repercussions when a company puts itself on the selling block. One of the things buyers will want to know is whether the company has had a breach and, if so, how it was handled.
If the business can show it addressed the breach in a satisfactory way and learned from the experience by fixing its security vulnerabilities, its sale value increases, according to 88% of respondents in a new (ISC)² study titled Cybersecurity Assessments in Mergers and Acquisitions. The study reveals that cybersecurity audits are now standard practice in the M&A process.
And the results of those audits have weight: 77% of study participants, all of whom have M&A experience in some capacity, make recommendations on deals based on what the audits reveal. A solid majority of respondents (82%) say the stronger a company’s cybersecurity infrastructure, including soft assets such as risk management policies and security awareness training programs, the higher the value assessed to the organization
In addition, 86% say a publicly reported breach detracts from the acquisition price, although it’s not a deal breaker if the target company handled it properly. Buyers can be forgiving when it comes to breaches they already know about but it’s a different story if a previously undisclosed breach comes to light during M&A discovery.
More than half of respondents (57%) say they have been surprised during the M&A process by previously undisclosed cybersecurity incidents. Such revelations can have serious consequences, as 49% of respondents say deals in which they were involved fell apart as a result.
These findings support earlier research about how cybersecurity audits can influence M&A decisions. Some 53% of respondents in a recent Forescout Technologies study reported that critical cybersecurity issues or incidents have jeopardized M&A deals for their organizations. For 73% of respondents, undisclosed breaches are a deal breaker. In addition, the study found that 65% experienced buyer’s remorse when cybersecurity concerns surfaced following a deal.
It’s clear from both the (ISC)² and Forescout studies that executives involved in M&A activities frown on surprises when it comes to cybersecurity. Buyers understand that when they complete a merger or acquisition, they are taking on the target company’s cybersecurity infrastructure. As such, they want to avoid acquiring a weak program that can become a post-acquisition liability.
The (ISC)² study polled companies of all sizes, and 33% of respondents are from organizations of more than 1,000 employees. More than half of respondents (60%) say their organizations use an in-house team of security auditors, and 35% say they retain outside consultants for the task.
The study shows that cybersecurity already is an influential factor in M&A, and according to 42% of respondents, it will become even more so over the next two years.