Considering cyber risk in any transaction is essential. This is because the state of a company and its resilience to internal and external cyber threats has the potential to influence the value of the assets being acquired as well as related transitional risks. Just as a company must determine if a target company's financial, operational and legal risks are manageable, it must also assure itself that the cyber risk is acceptable.
The discovery of unanticipated cyber risk can slow down a planned transaction and negatively affect expected company valuation. And, with global M&A volume up 9 percent in 2013,1 and already up 23 percent through the first quarter of 2014,2 cyber risk assessment as a part of transaction process management is a significant consideration.
So, why is understanding cyber growing in importance? Companies increasingly rely on data and electronic communication to conduct business, for starters. And with the rise in data breaches, and with organized crime, state entities and “hacktivist” groups active in every region, all organizations face a degree of risk associated with the personal, customer or corporate information they collect, use and store — irrespective of size, location, industry sector or company form.
Breach Costs are Rising and Consequences Go Beyond Response Costs
The average cost of a data breach rose 15 percent since 2012 to $3.5 million per breach in 2013.3 Further, the average cost paid for each lost or stolen record that contained sensitive and confidential information also increased by more than 9 percent, from $136 (2013) to $145.4 In addition, companies hit by breaches suffered losses on other fronts. While the cost of a breach is generally recognized as including the direct costs from investigating and remediating the breach, it also includes costs such as fines imposed, litigation, damages and a decline in sales as customer confidence is compromised and brand reputation is tarnished.
Figure 1 – Cyber Impact Cost 5
Figure 1 quantifies the substantial financial and customer accounts lost for three companies that recently suffered a data breach. In addition to response costs and lost customers, a company’s share price and market value also may suffer as a consequence of a breach. Looking more closely in Figure 2 at Sony Corporation in the period immediately following its 2011 breach, Sony’s stock price fell by 6.42 percent a week after the breach (May 11), and by a further 12.76 percent 30 days later (June 4).
Figure 2 – Stock Price Impact 6
Different Types of Companies have Different Kinds of Cyber Risk
It has also been found that the industry in which a company participates is a particularly important consideration. The Verizon 2014 Data Breach Investigations Report reviews for several industries the manner in which cyber threats vary among them. Figure 3 highlights three examples. In Healthcare, 46 percent of cyber incidents are tied to data theft / loss. In contrast, in Mining, 40 percent of incidents stem from cyber espionage. Further, in Retail, the industry is faced with two major threats, Point of Sale- and Denial of Service-related breaches, 31 and 33 percent of the time, respectively.
So, target companies in different industries are likely to encounter very different types of cyber threats — even if they are of similar size and structure and operate in the same part of the world.
Figure 3 – Verizon 2014 Data Breach Investigations Report 7
Therefore, with global transactions increasing, and many of these transactions occurring in the high cyber risk sectors such as energy, financial, retail, defense, healthcare and pharmaceuticals, how should cyber risks be assessed? Further, can a target company that has suffered a previous breach be reasonably considered?
Figure 4 – M&A Transactions 8
To undertake a comprehensive review of the target’s cyber security capabilities, policies, history and risks, an assessment must include at least these six considerations:
Cyber Health-Check Essentials
1. Critical Asset Location & Classification: Has the company identified the target’s most critical assets that could be affected by a cyber event, such as its critical data and IT infrastructure?
2. Cyber Protection Capability: What sort of protection does the company have against cyber threats? Does it have the culture, leadership, policies and technology investments that support managing cyber risks?
3. Threat Landscape: What are the cyber threats faced by these assets? What would be the impact on the business if these assets were lost or damaged? What is known about these threats? Can the likelihood of an attack be determined based on the experience of similar companies? Can threat intelligence help the company to anticipate potential threats?
4. Breach Response Capability: Has this company experienced breaches in the past that could create liability at a later date? In the event of a cyber breach, how much money could be lost to incident handling costs, lost business or lost market value?
5. Supply Chain Risk: Would a cyber event at a supplier hold the potential for an upstream impact on the company? Is the liability apportioned correctly?
6. Insurance Cover: Can the company ensure against any unmitigated risks?
Yet a cyber health-check is not a “one size fits all” solution. Every health-check must be customized to account for factors such as the organizational structure, its operating geographies, the laws of the jurisdiction(s), the industries in which it participates and its risk appetite. Taken together, these elements help to identify the type of cyber risk the new entity is likely to encounter, and each should be examined as a part of the evaluation process.
Cyber Health-Check Process
The health-check process typically begins with a high-level assessment of the company’s data profile and its cyber protection capabilities. Customarily the cyber policy, security operations and plans would be examined along with a review of technical controls like firewalls and log management, and virus detection.
Threat intelligence sources are then used to search for evidence of exfiltration data and positive indicators of a breach. The threat intelligence review also highlights the kind of attacks that companies with similar profiles may have experienced and includes information already in the public domain, such as potential adversaries.
A detailed review of the company’s breach response capability is an important part of the health-check process. Past history of breaches, security audit failures, lost devices and unauthorized accesses are all assessed as a part of the effort to foresee post-merger problems.
Similarly, the supply chain and its associated cyber risk are evaluated alongside a vendor contract review to flush out indemnity provisions.
In the event that any of the initial health-check inquiries raise concerns, a deeper technical analysis of the company’s cyber defenses is undertaken. The more detailed evaluation would typically involve reviewing in greater depth existing systems, including the nature of its technology infrastructure, the location and type of the company's data and its cyber defenses. In many cases, penetration testing would also be utilized to ascertain the ability of the company’s existing infrastructure to withstand an attack.
Finally, insurance is an option that acquiring companies may consider as a means of transferring to a third party some of the residual cyber risk. Cyber / privacy policies frequently cover some risks associated with collecting and storing personally identifiable information (PII) and from the loss of intellectual property and other proprietary information. A portfolio company undertaking a series of acquisitions for a private equity firm could protect itself against residual risk by purchasing a policy that would cover both the statutory risk associated with PII data, as well as any common law risk with respect to the loss of, or unauthorized access to, the intellectual property of others.
Investigating cyber risk as a part of a comprehensive M&A due diligence process can protect investors, help to assure that acquired companies retain their value and assets, and keep a planned acquisition process on track. Past events need not prohibit either investor or target from engaging in the process, but a thorough and risk-specific (industry, company, geography, etc.) cyber health-check that includes at least the six elements outlined above are essential considerations in contemporary M&A processes.
A&M’s use of company names and other public information in this article does not express or imply that those companies have a relationship or affiliation with, or have provided an endorsement of A&M.
1 Dealogic, “Dealogic Global M&A Review | Full Year 2013,” 2014, accessed June 10, 2014
2 Dealogic, “Dealogic Global M&A Review | First Quarter 2014,” accessed June 10, 2014
3 Robert Westervelt, “Data Breach Costs Study: Response, Containment Increase,” CRN, May 12, 2014, accessed June 10, 2014, http://www.crn.com/news/security/300072808/data-breach-costs-study-response-containment-increase.htm.
4 Ponemon Institute, “2014 Cost of Data Breach Study: Global Analysis,” May 2014, accessed June 10, 2014, public.dhe.ibm.com/common/ssi/ecm/en/sel03027usen/SEL03027USEN.PDF.
5 Matthew J. Schwartz, “RSA SecurID Breach Cost $66 Million,” Dark Reading, July 28, 2011, accessed June 10, 2014, http://www.darkreading.com/attacks-and-breaches/rsa-securid-breach-cost-$66-million/d/d-id/1099232; Byron Acohido, “Timeline: Target, Neiman Marcus Disclosures,” USA Today, February 6, 2014, accessed June 10, 2014, http://www.usatoday.com/story/cybertruth/2014/01/23/timeline-target-neiman-marcus-disclosures/4799153/; Jason Abbruzzese, “Michaels Confirms Security Breach Affected 3 Million Debit, Credit Cards,” Mashable, April 18, 2014, accessed June 10, 2014, http://mashable.com/2014/04/18/michaels-breach-3-million-cards/.
6 Maria Aspan and Claire Baldwin, “Sony Breach Could Cost Card Lenders $300 Million,” Reuters, April 28, 2011, accessed June 10, 2014, http://www.reuters.com/article/2011/04/29/us-sony-creditcards-cost-idUSTRE73S0FL20110429 ; Yahoo! Finance, Sony Corporation Stock Price Chart (Filter: 4/10/2011 to 6/4/2011), accessed June 10, 2014, http://finance.yahoo.com/echarts?s=SNE.
7 Verizon, “Verizon 2014 Data Breach Investigations Report,” 2014, accessed June 10, 2014, http://www.verizonenterprise.com/DBIR/2014/.
8 Institute of Mergers, Acquisitions and Alliances, Chart of Top Mergers and Acquisitions Worldwide, accessed May 15, 2104, http://www.imaa-institute.org/statistics-mergers-acquisitions.html#TopMergersAcquisitions_Worldwide.