Cybersecurity as a business asset: Preparing for a successful exit

Considering the ever-increasing cyberattacks facing companies today, investment in security is more important than ever—and becomes even more crucial when preparing a company for exit. 

Even the smallest breach can significantly impair a company's value, harm its customers, and diminish its reputation. This was recently on display with the breach of Change Healthcare, which cost parent company UnitedHealth Group over $870 million while significantly impacting cash flow for thousands of healthcare providers nationwide. While healthcare is, of course, one of the most scrutinized industries—especially with the FTC’s Updated Health Breach Notification Rule, the necessity of security applies broadly.  

It’s key in preparing for an exit to assess the business against a robust cybersecurity framework (i.e., NIST) that both reflects controls to protect sensitive data as well as a resilient approach to preserve operational integrity in the event of cyberattack. This is especially critical because threat actors often have substantial leverage during a transaction—often treating an M&A announcement as a jumping-off point to launch a destructive attack like those described in this FBI Private Industry Notice, knowing an unprepared business will have little choice other than give in to their demands.  

For private equity firms, building an effective cybersecurity program begins at purchase—continuously evaluating portfolio companies and add-on acquisitions’ cyber programs to ensure baselines have been implemented, ensuring consistent security standards and operational processes (e.g., vulnerability management, identity/access management, security staffing) so there are no questions of effective, proactive cybersecurity measures when an exit arrives. 

There are multiple areas that potential acquirers and partners will tend to scrutinize when reviewing an organization’s cyber capabilities and discipline; among those functions are security hygiene and operations (security solutions standards, monitoring/alerting, vulnerability management) to understand potential risks or additional investment that may be present. To reinforce a company’s readiness for exit, consider the following activities to reinforce cyber posture and resiliency: 

• Establish and confirm adherence to security baselines and standards (e.g., endpoint protection, data loss prevention) to secure enterprise systems and data (customer/corporate). Consistent deployment of foundational security solutions and controls across corporate and product assets demonstrates the organization’s cyber maturity. 
• Review your cyber insurance policy to determine if the coverage is appropriate, that exclusions are known and managed, and security capabilities (e.g., managed endpoint detection, monitoring/threat detection) are in place to align with policy requirements. Business impact analysis exercises to quantify the financial and operational repercussions of a cyber event can help determine suitable coverage amounts to mitigate the financial and resource burden. 
• Routinely document and test incident response plans to ensure timely and efficient recovery in the event of a security incident. The previously mentioned business impact analysis will also assist in proactively establishing mitigants (e.g., maintaining a retainer with an incident response firm, architecting recovery solutions). 
• If using any cloud-based services (e.g., Microsoft 365, Google Workspace), conduct a third-party assessment to enhance the security and protection of enterprise assets and operations. Implementing geographically dispersed instances, off-network backup/storage (e.g., availability zones, third-party backup vendors, encryption key management) is critical for maintaining operations in the event of a cyber incident. 
• Assess vulnerability management practices, including comprehensive penetration testing (e.g., external, internal credentialed, red team), routine vulnerability scanning, monitoring for dark web exposure, and maintaining patching hygiene, are paramount for fortifying the enterprise. 
• Whether utilizing a managed security services provider (MSSP) or an internal security team, resources should be technically competent and ideally possess industry knowledge and expertise. 

Potential buyers understand the financial and reputational risks associated with data breaches and cyberattacks and appreciate the value of a secure IT infrastructure that can withstand ever-evolving cyber threats. In contrast, a company with weak cybersecurity measures may face significant discounts on its sale price or even face exclusions in representation and warranty insurance underwriting—a significant concern considering 53% of respondents in this survey came across “critical” cybersecurity issues in the course of M&A.  

Across the hundreds of deals seen each year by West Monroe in diligence, cybersecurity concerns play a salient role in value erosion, delays to close, or even causing a buyer to walk away from a contemplated transaction. Examples of companies impacted by such concerns include: 

• An edtech business where management was unaware of potential attack vectors due to gaps in application security caused by lapses in static and dynamic application software testing (SAST/DAST).
• A tech-enabled services company with limited dark web vulnerability scanning, risking exposure of sensitive information due to credentials being compromised on the dark web.
• A healthcare IT business risking exposure of critical data due to the absence of a clear cybersecurity framework and underinvestment in technical controls, where adopting and applying an established security framework (e.g., NIST CSF, ISO 27001) could help establish baseline security strategies and operational standards. 

By taking the recommended actions and demonstrating cybersecurity capabilities, a prepared seller can expedite the due diligence process by presenting their own cybersecurity audits to demonstrate thorough analysis of their environment and a commitment to data protection—reducing the time and resources spent on due diligence. 

Ensuring robust corporate hygiene, reinforcing the value of technical assets, and safeguarding critical data are integral parts of any sell-side advisory engagement. This approach underscores operational excellence and builds customer trust, essential when entering the market in the digital age.