Cybersecurity Risks Are Threatening Deals

Recent acquisitions highlight the threat that cyber risks can pose to a company’s reputation and bottom line.  When Verizon was making a bid for Yahoo’s internet business, the sale price was discounted $350,000 million after Yahoo’s security breaches were discovered.  Spirit AeroSystems Holdings had been approved to purchase Asco Industries prior to Asco being hit with a ransomware attack that disrupted production for over a week in May.  As the fallout from the attack continues, the acquisition has been put on hold.

Marriott was not so lucky.  They acquired Starwood and then a few days later discovered that they had inherited a massive security risk to deal with.

Don’t think this concern is only for these major players.  In a recent meeting with a firm that specializes in mergers and acquisition of small businesses (many of them family-owned) the principals agreed that cybersecurity has become a major concern, and buyers are now requiring third-party attestation of the business having been proactive about security so they don’t pay far more than they intended.  We also were brought in to help when an online retailer had sold his business as being PCI compliant and the new owners then discovered that the information in the Self-Assessment Questionnaire they were given as “proof” was inaccurate, which resulted in a lawsuit for $750,000 plus legal expenses.

How can you prevent concern over cybersecurity from derailing a potential merger, buy out or many even the acquisition of a deal with a new customer?

1. Assess your risk – what is most important to protect?  Ask yourself what would make you panic if you found out it had fallen into the wrong hands, this likely includes other data besides the typical employee records or client files.
2. Assess your current state – what do you have in place to identify risk, protect against it, detect when something is amiss, respond appropriately and then recover if there was an incident?
3. Test your controls – Never assume that no news is good news.  Test your technical controls to make sure there are no gaps.  Test your staff to confirm that they are vigilant and know how to spot attempts to trick them into providing credentials, sensitive data or sending money via wire transfers.
4. Proactively monitor for 3rd party vendor breaches that could leave you exposed.
5. Make sure you have cyber coverage that isn’t so full of deductibles and exclusions that your business will be out of business if you do experience an incident despite your precautions.