Blog

Cybersecurity Audits Are Now Standard Practice in M&A

Sep 30, 2019

Cyber-M-A-Report-1200x628 Cybersecurity threats are a major concern for businesses of all sizes, and that challenge can have repercussions when a company puts itself on the selling block. One of the things buyers will want to know is whether the company has had a breach and, if so, how it was handled.

If the business can show it addressed the breach in a satisfactory way and learned from the experience by fixing its security vulnerabilities, its sale value increases, according to 88% of respondents in a new (ISC)² study titled Cybersecurity Assessments in Mergers and Acquisitions . The study reveals that cybersecurity audits are now standard practice in the M&A process.

And the results of those audits have weight: 77% of study participants, all of whom have M&A experience in some capacity, make recommendations on deals based on what the audits reveal. A solid majority of respondents (82%) say the stronger a company’s cybersecurity infrastructure, including soft assets such as risk management policies and security awareness training programs, the higher the value assessed to the organization

In addition, 86% say a publicly reported breach detracts from the acquisition price, although it’s not a deal breaker if the target company handled it properly. Buyers can be forgiving when it comes to breaches they already know about but it’s a different story if a previously undisclosed breach comes to light during M&A discovery.

The Risk of Surprise Cyber-M-A-Covers

More than half of respondents (57%) say they have been surprised during the M&A process by previously undisclosed cybersecurity incidents. Such revelations can have serious consequences, as 49% of respondents say deals in which they were involved fell apart as a result.

These findings support earlier research about how cybersecurity audits can influence M&A decisions. Some 53% of respondents in a recent Forescout Technologies study reported that critical cybersecurity issues or incidents have jeopardized M&A deals for their organizations. For 73% of respondents, undisclosed breaches are a deal breaker. In addition, the study found that 65% experienced buyer’s remorse when cybersecurity concerns surfaced following a deal.

It’s clear from both the (ISC)² and Forescout studies that executives involved in M&A activities frown on surprises when it comes to cybersecurity. Buyers understand that when they complete a merger or acquisition, they are taking on the target company’s cybersecurity infrastructure. As such, they want to avoid acquiring a weak program that can become a post-acquisition liability.

The (ISC)² study polled companies of all sizes, and 33% of respondents are from organizations of more than 1,000 employees. More than half of respondents (60%) say their organizations use an in-house team of security auditors, and 35% say they retain outside consultants for the task.

The study shows that cybersecurity already is an influential factor in M&A, and according to 42% of respondents, it will become even more so over the next two years.