For companies purchasing an enterprise with substantial digital assets, which is most companies these days, the cost of pre-deal cyber due diligence can be a rounding error. Conducting no cyber due diligence is like buying a house without conducting an inspection. You have no idea how much it’ll take you to fix it post-closing, or whether, in the rare case, the problems are so significant that you should know are biting off massive risk. Pre-deal cyber due diligence enables the buyer or investor to re-price the deal, pass-on the costs of the fixes to the seller(s), or walk away. Just like the financial, environmental, and insurance due diligence done in most M&A deals, cyber diligence can identify, quantify, and protect against taking on excessive risk. While cyber due diligence is not yet routine, companies and private equity firms are increasingly embracing it.
Poor cybersecurity can make an expensive breach more likely or can create regulatory non-compliance that is expensive to fix. As far as breaches are concerned, any company can potentially be broken into with enough effort and time, but if pre-deal due diligence shows that it would be trivial to hack the target company, the chances of a serious breach increase. By recent measurements, the average cost of a data breach is $3.6 million, but damages from big breaches can reach the tens, if not hundreds, of millions of dollars. Fines for breaches under the new EU regulatory schema can be as high as 4% of global turnover. This kind of financial or reputational loss can affect enterprise value.
Pre-deal diligence that shows a company has significant gaps in computer security hardware, software, and talent can help assess the likelihood of breach, quantify the fixes, and produce an understanding of how long the target will remain insecure. These are all factors that directors, officers, and investment committees should consider in advance. This is especially so when the target company is being merged into a more secure network. Who wants to bring cyber “termites” into a house that has none?
Gaps in cyber resilience can also violate the increasing number of local and international data privacy and cybersecurity regulations. There’s the cybersecurity regulation of the New York Department of Financial Services (“DFS”), the Bank of England’s CBEST vulnerability framework, state laws, and the EU’s Global Data Protection Regulation (“GDPR”), to name a few. The DFS regulation requires the CISO or board to certify regulatory compliance, and specifically requires an enterprise security assessment, a threat assessment, processes to determine whether to enable database encryption, multi-factor authentication for remote access, and other specific aspects of a security program. DFS gaps will be expensive to remediate post-deal. The same is true of GDPR violations, which focus on permitted and prohibited cross-border movements of data; and CBEST violations, which, like the DFS regulation, focuses on cybersecurity.
Given that the touchstone for all cybersecurity is identifying and then protecting the digital “crown jewels,” pre-deal cyber due diligence should focus first on whether the company even understands what its key digital assets are, and then whether budget, technology, and skills are aligned with protecting those assets. For example, in healthcare, important concerns that can affect enterprise value are whether the target company is susceptible to mass exfiltration of patient health information, ransomware that can affect the ability to operate, and attacks against notoriously insecure medical devices. In oil and gas, a leading focus should be whether industrial control systems are exposed to manipulation by malicious outsiders. In entertainment, acquirers and investors should be concerned about exfiltration of customer data, the security of pre-release content, and the security of the network operations through which content is broadcast. Across all industries, security is not just a question of what attacks the target company can block, but whether it can detect and respond to an attack—as swift action often decreases loss and protects the value of the enterprise. When source code is the key digital asset, due diligence can involve ensuring that the software development environment is secure, and that the code is not purloined in whole or in part, is not subject to a patent invalidity attack, and is maintainable. For example, if the code is poorly commented and all the conversant developers have departed, the post-close cost of maintaining and improving the code base can be dramatically higher.
Cyber due diligence is a short-term (2-4 weeks), high-level, and thus relatively inexpensive evaluation of the risk presented by the target company’s cyber maturity. It can identify costly risks, opening up the opportunity for buyers to reduce their exposure. Making it part of normal M&A due diligence is bound to happen sooner rather than later. As cyber attacks get more severe—the recent global ransomware attacks being an example—it becomes increasingly clear: ignoring these risks can cost buyers or investors profoundly.