Cyber resilience set to influence deal-making outcomes
June 2014 | EXPERT BRIEFING | MERGERS & ACQUISITIONS
The threat of information leakage during sensitive M&A transactions is not new. People have attempted to profit from inside information at least since the invention of the modern finance system. However, the rise in cybercrime is creating an entirely different challenge to clients and their advisers, with the old system of preventing such leaks – keeping the circle of trust small – no longer enough.
In response, the recently-launched ‘Cyber-security in Corporate Finance’ guide, backed by the UK government and a taskforce spearheaded by ICAEW, aims to raise awareness and foster best practices.
The advent of highly targeted and sophisticated computer hacking means a leak is no longer limited by the trustworthiness of those in the circle of trust. Equal attention must be paid to the trustworthiness of the inner circle’s cyber security. A growing number of corporates review the cyber resilience of their external advisers prior to engaging them. This is a very good practice. It is not uncommon to find that a security breach of a company’s information occurred on a company’s external adviser’s network, rather than through the company’s own network.
Whereas contractual obligations may clarify who is ultimately legally responsible for a breach, this is no substitute for seeking to prevent the breach in the first place. This is especially true since a company is likely to be blamed by the public for a breach involving its data, even if the computer system breached was not their own.
The risk of cyber attacks goes beyond the fear that confidential information about a merger might leak and allow improper trading. Cyber security is now at the very heart of what makes an organisation effective and worthwhile. Just as an acquiring company must assure itself that a target company’s finances and legal risks are manageable, it must also assure itself that the cyber risk is acceptable.
Too often, issues of cyber security are left until after a transaction is complete – a question of integration, not value. This is a mistake. A cyber breach could easily have a material impact on the value of a company, which means it is far too late to leave this for the IT team during the integration phase. This is true for virtually all companies today – not just those in the technology sector. Smart companies, therefore, conduct regular risk assessments of their cyber security and the security of potential acquisition partners. This process should be at the very heart of the due diligence process.
A cyber security risk assessment should be supported by external experts with the appropriate level of knowledge and insight, alongside key individuals from within the organisation. The risk assessment review will identify a company’s high value data assets and assess the adequacy of the security in place. When required, it will suggest security improvements.
The review must be tailored to the organisation, its risk landscape and the nature of its business. At the very least, it must include a high-level assessment of existing security and plans, which may include a review of policies, procedures, firewalls, logs, virus detection and, perhaps, a search for indicators of a comprise.
This will commonly include an analysis of the target company’s data profile, the kind of attacks that similar companies may have experienced and the type of information already in the public domain, such as potential adversaries. Each review is likely to highlight different types of cyber risk, depending on the business environment in which a company operates. For example, a mining company involved in minerals extraction in a sensitive region, a retailer with significant legacy card payment infrastructure, and an international defence contractor all facing varying degrees of exposure to different types of hackers.
The second stage should review existing systems in greater depth, including the nature of the technology infrastructure, the location of the company’s data, the type of data held and how systems are currently defended. Executives across the organisation will play a key part in this process, which will also offer an opportunity to review the sufficiency and understanding of existing policies. In many cases, this may also involve an in-depth review of systems, alongside penetration testing, to ascertain the ability of existing infrastructure to withstand an attack.
The cyber security guide offers insight into the possible questions to ask during the due diligence process. When did the board last consider cyber-security? Who is ultimately responsible for managing cyber security in the company? How confident is the company that its most valuable information is properly managed and safe from cyber threats? When did the company last experience a cyber or information security breach? What steps did they take to mitigate the impact of this breach?
In assessing such risks, it is important to remember that cyber risks can also emanate from within, either inadvertently – by staff accidentally activating viruses or malware by clicking on links in emails – or intentionally – by malicious insiders motivated by the prospect of revenge or financial gain. It is worth noting that this is not only a problem for junior or mid-level employees; those at the top of an organisation are more likely than junior employees to engage in careless behaviour that can be a potential source of a cyber attack.
Cyber security is too important to be left until after closing. Recent cases suggest advisers, as well as their clients, are actively being targeted. In response, all parties must take steps to ensure they understand and mitigate such risks, from the outset.
Seth Berman is executive managing director and UK head of Stroz Friedberg. He can be contacted on +44 (0)20 7061 2300 or by email: firstname.lastname@example.org.
© Financier Worldwide