Key steps to take in protecting company value and preventing breaches
Considering the ever-increasing cyberattacks facing companies today, investment in security is more important than ever—and becomes even more crucial when preparing a company for exit.
With the massive financial impact seen from cyberattacks, it’s clear cybersecurity is no longer just an IT concern but a strategic business issue.
Even the smallest breach can significantly impair a company's value, harm its customers, and diminish its reputation. This was recently on display with the breach of Change Healthcare, which cost parent company UnitedHealth Group over $870 million while significantly impacting cash flow for thousands of healthcare providers nationwide. While healthcare is, of course, one of the most scrutinized industries—especially with the FTC’s Updated Health Breach Notification Rule, the necessity of security applies broadly.
It’s key in preparing for an exit to assess the business against a robust cybersecurity framework (i.e., NIST) that both reflects controls to protect sensitive data as well as a resilient approach to preserve operational integrity in the event of cyberattack. This is especially critical because threat actors often have substantial leverage during a transaction—often treating an M&A announcement as a jumping-off point to launch a destructive attack like those described in this FBI Private Industry Notice, knowing an unprepared business will have little choice other than give in to their demands.
For private equity firms, building an effective cybersecurity program begins at purchase—continuously evaluating portfolio companies and add-on acquisitions’ cyber programs to ensure baselines have been implemented, ensuring consistent security standards and operational processes (e.g., vulnerability management, identity/access management, security staffing) so there are no questions of effective, proactive cybersecurity measures when an exit arrives.
There are multiple areas that potential acquirers and partners will tend to scrutinize when reviewing an organization’s cyber capabilities and discipline; among those functions are security hygiene and operations (security solutions standards, monitoring/alerting, vulnerability management) to understand potential risks or additional investment that may be present. To reinforce a company’s readiness for exit, consider the following activities to reinforce cyber posture and resiliency:
Potential buyers understand the financial and reputational risks associated with data breaches and cyberattacks and appreciate the value of a secure IT infrastructure that can withstand ever-evolving cyber threats. In contrast, a company with weak cybersecurity measures may face significant discounts on its sale price or even face exclusions in representation and warranty insurance underwriting—a significant concern considering 53% of respondents in this survey came across “critical” cybersecurity issues in the course of M&A.
Across the hundreds of deals seen each year by West Monroe in diligence, cybersecurity concerns play a salient role in value erosion, delays to close, or even causing a buyer to walk away from a contemplated transaction. Examples of companies impacted by such concerns include:
By taking the recommended actions and demonstrating cybersecurity capabilities, a prepared seller can expedite the due diligence process by presenting their own cybersecurity audits to demonstrate thorough analysis of their environment and a commitment to data protection—reducing the time and resources spent on due diligence.
Ensuring robust corporate hygiene, reinforcing the value of technical assets, and safeguarding critical data are integral parts of any sell-side advisory engagement. This approach underscores operational excellence and builds customer trust, essential when entering the market in the digital age.