Opinion

Cyber due diligence: The next big thing in mergers and acquisitions

7 min read

28 August 2015

Graham Carberry, MD of defence and security at Livingstone Corporate Finance, talks about the rise of cyber due diligence and why it is important for businesses that are going into a sale to have a robust IT system.

You can’t be certain about much in M&A but here’s one thing we confidently predict: cyber due diligence (‘DD’) will be the next big thing to feature in transactions as a separate, stand-alone due diligence exercise.

Today’s technology DD tends to focus on issues such as systems compatibility, and whether the vendor has up-to-date licences and a robust business continuity plan. Up until now, cyber DD has been a subsidiary element of the process.

The increasing threat of cyber attacks and the number of high profile breaches are driving a significant change in corporate mind-set. There is also the clear message, being pushed hard (and increasingly incentivised) by the government and institutions such as the Bank of England, that businesses must sharpen their risk awareness and strengthen their cyber security defences.

According to one recent survey, 90 per cent of large UK companies, and 74 per cent of small businesses, experienced a malicious IT security breach over the past year.

There is no shortage of horror stories. In July, the dating website Ashley Madison was breached, with hackers subsequently carrying out their threat to post details of accounts online. The breach has potentially compromised its users – for whom which the presumption of complete discretion will have been critical – and has almost certainly jeopardised the plans for the company’s planned IPO on the London Stock Exchange.

Following swiftly on the heels of the Ashley Madison debacle – personal details of up to 2.4 million Carphone Warehouse customers were broken into, with up to 90,000 customers having their encrypted credit card details accessed.

Or take the story, published by the UK government as a recent case study, in which an un-named FTSE-350 company (which itself was an exemplar of good cyber-security practice) took over a small business. It inherited the very poor state of that company’s network security, and as a result suffered a sustained compromise of its own shortly after completing the acquisition. The investigation identified that the company’s adversary had unfettered access to the whole network for a period of more than a year and had stolen data related to new technology.

Read more about the security debate:

Acquirers of companies are increasingly aware of these perils. In a survey published last year by Freshfields Bruckhaus Deringer, 90 per cent of respondents across US and Europe believed that information about cyber security weaknesses or breaches would reduce the sale price, while 83 per cent said that identified past data breaches, or a cyber incident mid-deal, would make an impact on that transaction.

Increasingly, cyber security will be analysed in depth or specifically quantified as part of the acquisition process. If you want to see the future of cyber DD, look at a cutting-edge sector such as defence.

One major defence company we know has walked away from transactions, after signing heads of agreement, solely because of concerns about cyber security. Another industrial client has a clear policy of not integrating its acquisitions for a good period after deal completion, in order to check its cyber security scrupulously. This is to prevent a “Typhoid Mary” scenario, where a breach in the systems of the acquisition leads to a breach in the parent company.

Of course, many enterprises won’t attract a great deal of interest from the criminal and hacking communities, let alone the attention of national intelligence services. The value of many businesses resides in the proprietary technology, customer information and data they hold – and that means that the security of that data will be fundamental to capturing that value. If your business is part of a large and complex supply chain, then you may be targeted as its weakest link.

Increasingly the government requires suppliers to meet minimum standards such as those embodied in Cyber Essentials, the government-backed, industry-supported scheme to help organisations protect themselves against common cyber attacks. Large OEMs are looking to audit the security of their supply chains, whilst loss of IP through a breach will compromise the fruit of years of investment.

Ultimately, cyber security is an aspect of protecting value. As with so many aspects of preparing a business for sale, there is much that an owner-director should be doing.

Identify your most important data assets and how those assets are collected, used, stored and retained. Show how your internal data controls protect that data from being leaked or stolen (given that most breaches are the result of human behaviour, this will be about demonstrating a sustained effort to create and maintain awareness of security throughout the workforce, supported by appropriate training and validated by periodic reviews by external specialists – rather than just installing software patches.) Keep records of past security breaches and what actions were taken as a result. Develop a breach response plan. Assess the cyber security credentials of your sub-contractors – and customers.

IT security should now be a question on every acquirer or investor’s mind. For prospective sellers, being able to show that this issue has been taken seriously, and how underlying IP has been protected successfully is becoming increasingly critical to achieve a strategic price on exit.

Graham Carberry is the MD of defence and security at Livingstone Corporate Finance.