Without a basic understanding of Cybersecurity, companies can stand to lose a great deal. And as BKD’s Cyber Division Director Cy Sturdivant points out, companies that acquire businesses with weak defenses may see their ROI compromised as easily as systems with weak passwords.
“The biggest thing (in) M&A, especially from an acquirer perspective, is if we purchase this company, what are we purchasing from a risk perspective?” Sturdivant says.
He says companies going through a process may have targeted a company that has an amazing competitive advantage, one that will complement both the buyer’s suite of services and its culture perfectly. However, if that company has outdated systems or has largely ignored potential cyber threats, their cybersecurity posture could be incredibly weak. As soon as the companies are merged and their networks are blended, if they're hit with ransomware or some other major threat, the acquiring company will face the full consequences of that event.
“The average total cost of a data breach is $4.24 million dollars,” he says. “So, do you want to pay that? Obviously, you see the revenue stream, you see the benefits of bringing in a corporation, but do you want to pay a $4.2 million dollar cyber bill because you didn't vet them, you did not assess that risk before you brought them in? And the bigger the company, the more data, the more intellectual property that organization has, the more impact and inherent risk they bring to your organization. That is by far the biggest item to be aware of and to be concerned with.”
Acquirers then, when going through due diligence, should be sure to ask their target company if they’re doing any type of annual cybersecurity risk assessment. If so, was it a self-assessment or did they bring in an expert to independently verify everything?
“Often times when you ask that question, you're going to get a ‘no,’ Sturdivant says. “But are they doing anything? Are they doing vulnerability assessments? Are they doing penetration testing to simulate if somebody connected to the network what would they see? What gaps do we need to close? What issues do we need to resolve? All that needs to be in your due diligence requirements. Ask those questions. If you get, ‘No, we've never done a pen test. We've never done a cyber assessment. We've never done fill-in-the-blank. We've never really even trained our employees on the risk of fishing.’ That might be something you want to do before you merge them in.”
Acquirers should look to do thorough diligence on their target’s cybersecurity because the results may have bearing on the target’s valuation. After asking these questions and assessing the systems, it's up to the acquiring company to figure out whether to walk away or accept the risk and deal with it later.
Sturdivant spoke on the Smart Business Dealmakers Podcast about his view of the current cyberthreat environment, what cybersecurity means in practice, and just how troubling digital threats are for players in the M&A world. Hit play below to catch the full conversation.