Organisations With No Cybersecurity Policy are Less Valuable: Report
A new report shows that organisations without a cybersecurity policy are less valuable and those that have hidden previous breaches are an unattractive prospect for mergers and acquisitions.
A report from a team of researchers has concluded that the value of organisations without a have hidden previous data breaches - or the mishandling of their data breach - have a significantly lower value than companies that are open and transparent about their cyber security history.
The study was conducted by (ISC)², who used a methodology to find out “how important of a role cybersecurity plays in organizational audits during the course of a sale or merger, and what tangible effects it may have on the value and the outcome of a deal.”
The researchers asked more than 250 experts on mergers and acquisitions based in the US to correlate a lack of transparency with a lowered acquisition cost, and the results are clear to see that organisations that have covered their tracks in the past are lacking in the trust to give acquisition managers confidence in the organisation.
“The report is a reality check for companies who think a lackluster approach to cybersecurity won’t diminish their stock.”
The results published showed that 49% of merger and acquisition experts had seen a deal crumble after research brought forward a previously undiscovered data breach. “Researchers also found that 86% of respondents said if a company publicly reported a breach of customer or other critical data in its past, it would detract from the acquisition price assigned,” according to Sarah Coble.
“However, if that breach was satisfactorily addressed and fixed, and any potential fines were already paid, 88% said it would minimize the negative impact to the overall valuation.”
You can read the report in full here, where the authors state that “in mergers and acquisitions negotiations, buyers look closely at factors such as a company’s balance sheet, intellectual property and market share.
How well a company performs in each of these areas can make or break a deal, but what some potential sellers may not realize is that another factor has become just as important in M&A activities- a company’s cybersecurity program.”
“The research clearly shows that in the context of a possible sale, not being transparent about past breaches can literally kill a potential deal.” John McCumber
John McCumber, director of cybersecurity advocacy, North America told InfoSecurity Magazine that “while every company needs to make their own decisions regarding proper data breach disclosure policies, the research clearly shows that in the context of a possible sale, not being transparent about past breaches can literally kill a potential deal, or can seriously affect the ultimate sale price,” he said.
The report also shows that having a robust set of cyber security policies gives organisations an edge over their competitors, considering that 77% of the experts interviewed by (ISC)² had made recommendations that one specific company with a cyber security policy be taken over in a merger or acquisition over a similar organisation that didn’t have an information security policy already in place.
“While most companies would rather not experience a breach in the first place, the study shows that those who deal with one, handle it well, and make adjustments to policies in order to limit their chances of a recurrence are looked at more favourably by potential buyers than those who seemed doomed to repeat their mistakes,” McCumber said.
“Each deal is different,” he continued to explain. “But what our report indicates is that in order to maximise the value of a deal, the acquisition target should ideally self-audit their cybersecurity program and readiness level in advance.”
Sarah Coble writes that “the report is a reality check for companies who think a lacklustre approach to cybersecurity won’t diminish their stock.”
“All respondents stated that cybersecurity audits are now a standard practice in arriving at a dollars and cents valuation, and 96% said that cybersecurity readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target.”