When M&A auditors look at a target company’s tangible assets, in the vast majority of cases that includes cybersecurity. In a new (ISC)² study about the impact of cybersecurity in M&A, 95% of respondents say they consider cybersecurity infrastructure “a tangible part” of the value calculation.
The stronger the infrastructure, including soft assets such as risk management policies and security awareness training programs, the higher a target company’s value will be, according to 82% of respondents. If an audit reveals weak security practices, 52% of respondents would view the cybersecurity program as a liability.
What this means for organizations considering a sale is clear: If you take your cybersecurity program lightly, it is bound to drive down the sale price. Just like any other tangible assets, such as buildings or equipment, the program’s value is tied to its condition.
All 250 participants in the (ISC)² study are or have been involved in M&A activities. Respondents included managing directors, investment and research analysts, venture partners, general partners, principals, and risk and compliance officers. More than three quarters of them (77%) say they make M&A recommendations based on the state of a company’s cybersecurity program.
Cybersecurity Has Value
The M&A audit process is how a purchasing company determines whether its target for merger or acquisition is worth making a deal. The most important part of the process is due diligence, which involves evaluating assets, structure, liabilities, operations and partnerships. Each of these areas is assigned a value and red flags can lead a buyer to abandon a deal.
In the (ISC)² survey, nearly all respondents (96%) say they take into account cybersecurity readiness when determining the overall value of a company. Slightly more than half of respondents (53%) say value varies widely – depending on the maturity and effectiveness of the cybersecurity program – while 45% use a standard plus/minus value assigned in a pass/fail manner.
In evaluating the cybersecurity infrastructure, M&A experts also take into account a company’s IT tools, according to 63% of respondents. And since 82% say cybersecurity affects valuation, the finding about IT tools indicates that the cybersecurity infrastructure actually carries more weight than overall IT.
This demonstrates just how seriously M&A buyers are taking cybersecurity threats, in light of a string of incidents over the past decade that have in some cases compromised the private data of millions of people and exposed company secrets.
It stands to reason then that buyers would want to avoid acquiring or merging with a company that turns out to have weak security practices. When that happens, the weaknesses become a liability and potentially devalue the overall company.
Here is the bottom line: The demonstrably stronger your cybersecurity program is, the more valuable your company is to a potential buyer. And keep in mind buyers look at the overall security track record, so it matters how well you handle security along the way, including how you have rebounded from any past breaches.