Is Your Cybersecurity a Plus or Minus for M&A Valuations?
Would I be correct in assuming that if you are considering a Merger or Acquisition (M&A) you want the “right” valuation that works for both parties? For decades, the M&A due diligence process focused primarily on financial performance when it came to valuations. The process entailed investing significant time digging into financial and operating performance to predict the combined companies’ current and future potential valuation.
Today, cybersecurity is a large contributor, or in some cases detractor, when it comes to valuation. By 2022, Gartner reports that 60% of organizations engaging in M&A activity will consider cybersecurity posture as a critical factor in their due diligence process.
According to PwC, in an article titled When cyber threatens M&A: “Many executives say data breaches, especially public ones, can lower a deal’s valuation. That was evident in Verizon’s acquisition of Yahoo, which closed in 2017. After Yahoo’s disclosure of two massive breaches in previous years, Verizon cut its offer by $350 million, or about 7% of the original price. In addition, the part of Yahoo that wasn’t sold to Verizon agreed to assume 50% liability from any future lawsuits related to the data breaches.”
This translated into a $350 million negative valuation impact due to a data breach. Perhaps that could have been stopped for 10%, even 5% of the deal impact. Or, perhaps it could have been identified during a cybersecurity due diligence phase in the deal evaluation.
What does a cybersecurity event cost your firm? It has been published that a cybersecurity event can impact the enterprise valuation in upwards of 20%! Think about that – a 20% impact on your deal as a result of not foreseeing a current, active threat inside the network or looming data breach once the companies are combined.
Leverage Cybersecurity Experts as Part of Your M&A Due Diligence
Most often, Private Equity Groups performing M&A activities and deal valuations don’t have the expertise to do thorough cybersecurity due diligence analysis. The savviest PE Groups look to expert cybersecurity firms that have a complete threat hunting and digital forensics practice. And I don’t mean a snapshot analysis via a quick vulnerability scan. I mean deep forensics that can determine if a breach happened days, weeks, even months in the past. And many times, if these breaches go undetected, they can appear months later by compromising data or perhaps locking down data via ransomware.
If you decide to go this route, look for a cybersecurity partner that can perform a complete analysis finding “patient zero” of a data breach or threat that currently exists. In other words, find out when, how, and where the threat happened and then provide a complete remediation roadmap.
In addition to the forensic analysis, the due diligence should at a minimum evaluate:
- Cybersecurity maturity
- Data risk profile
- Compliance readiness
- Security incident response and recovery processes
Including cybersecurity posture analysis as part of the due diligence effort helps to expose your level of risk. If you’re responsible for M&A activity or in the process of going through an M&A transaction, let’s talk today.