What do the acquisitions of Starwood Group by Marriott and Whole Foods by Amazon have in common? Both experienced cyberattacks shortly after the acquisitions were complete and failed to uncover data breaches that occurred before purchase. These companies are not alone.

And if breaches can happen to behemoth companies, smaller companies, with fewer protections in place, are definitely at risk. According to the 2019 NetDiligence Cyber Claims Study, of the more than 2,000 cyber insurance claims filed, 96% came from small to medium-sized businesses with less than $2B in revenue.

According to The World Economic Growth Forum’s recent Executive Opinion Survey, cyberattacks remain the No. 1 greatest concern for doing business in North America. What’s more, cyber breaches are projected to cost the global economy $6 trillion in damages by 2021, according to Forbes. The barrier to entry for someone to attack an organization has become much lower. There has been a rise of unsophisticated attacks carried out with ransom ware and malware pop-ups and simple phishing tools that cost less than $1. Only 1 in 4 small businesses are prepared for dealing with cyberattacks, according to Small Business Trends. The threat is there, and it’s not going away.

While certain industries that handle sensitive personal information, including health care, financial services and retail, may see a higher incidence of data breaches, no industry is immune. If security events disrupt business operations, customers stop doing business with the organization, which leads to a significant loss of revenue. This is demonstrated in the NetDiligence Cyber Claims Study, where it indicates that business income loss is the biggest contributor in driving the cost of security incidents higher. In fact, 25% of small- to medium-sized businesses filed for bankruptcy and 10% went out business after experiencing a data breach, according to National Cyber Security Alliance research.

Today, this trend is not unknown to deal makers. Most investors have faced one or more cybersecurity incidents in their investment or portfolio companies. If the acquired company faces a security breach during the holding period, chances are the company will not command the desired multiple upon exit, and will jeopardize the overall investment objectives.

Data is the new oil. Just as a prudent dealmaker would assess the risk of an oil spill before investing in an oil exploration business, an investor should assess the risk of data leaks in this data-driven economy.

Cyber due diligence is a quantitative risk assessment to estimate the financial loss exposure of a target and develop an appropriate mitigation strategy. Cyber due diligence will help buyers and sellers alike in understanding:
· What are the critical assets from a data, infrastructure, and brand reputation perspective?
· What threat actors may be motivated to damage the company?
· What are the quantified and prioritized cybersecurity risk associated with the company’s critical assets?
· What is the financial loss exposure from identified risks, including the regulatory penalties if a breach occurred?
· What does the roadmap to addressing security concerns and the pricing for remediation efforts look like?

Once you understand the value of your assets and have an idea of the threat actors, it’s important to identify the different means through which they can do damage to the business. Finally, you should assess what controls the business has already implemented to manage those risks.

There’s no question that cyber due diligence is paramount, but private equity firms need to make sure they are prepared to deal with threats and potential breaches on a go-forward basis as well. Immediately after closing the deal, the buyer should execute the plan developed through cyber due diligence and remediate those risks that could be exposing the company to significant losses. Unfortunately, cybersecurity is not a one-time investment that can then be forgotten. A trusted third party should be engaged to set up an enterprise-wide risk governance program to provide visibility into cybersecurity risk throughout the holding period.

Even in today’s very busy M&A environment, technical teams need more time to get in and assess the risk. As a result of the white-hot market, deals are closing quickly, and therefore, data security issues and attacks will likely continue to arise because private equity firms are not taking the time to conduct cyber due diligence ahead of the transaction close.
Module