A new survey of over 1,400 CEOs and executives finds that CEOs in the United States “rank cyber security as their #1 external concern for 2019.” This is not shocking, given that the probability of experiencing a large data breach has increased globally in each of the last five years.
Executives have, however, been forced to evolve in their consideration of mergers and acquisitions. International auditing and consulting firms’ surveys have consistently shown M&A activity to be a crapshoot, with estimates showing that anywhere from half to as many as 83% of deals fail to produce the expected value or revenue synergies. Indeed, this general conclusion has been largely consistent across studies conducted in 1999, 2004, 2007, 2016, and 2017.
In spite of this, 2018 saw a global sum of $3.5 trillion in merger and acquisition activity, the third-largest total since 2001. Faced with the aforementioned odds, M&A endeavors are an optimist’s undertaking, a sort of “Yes, but that won’t happen to me” strategy for business growth. The optimism is often rewarded handsomely. But the technology landscape of every industry has developed along the way, to the point that M&A due diligence is considered irresponsible if it does not include a robust investigation of the target’s information security.
The era of leaving cybersecurity to chance, due either to neglect or lack of skill, has passed.
Data Is More Valuable Than Oil
You may have heard the oft-repeated claim that data has overtaken oil as the world’s most valuable resource.
In a merger or acquisition, data can be the deal’s chief motivator. M&A activity may be undertaken for the purpose of entering a new market, accelerating growth, or obtaining lucrative trade secrets. In all cases, the data which is acquired is integral to the deal’s success. Whether the data be intellectual property or customer lists, any acquirer would balk at a deal in which they knew beforehand that the target’s data was corrupt, incomplete, or had been leaked to competitors. Any one of those situations would shake the very foundation of deal’s motivation.
Adding to these concerns is the prospect of insider trading, in which cyber attackers have already made a fortune targeting everyone from the companies, the attorneys, the newswires, and the SEC itself. Data security has become the very underpinning of M&A.
What’s The Use?
Just as the other aspects of M&A due diligence must be numbers-driven to be useful, a cybersecurity assessment which returns a red-yellow-green stoplight chart, with reports of “low-to-medium risk,” lacks the context needed for decision-making.
“Low-to-medium risk, compared to what?”
“How often will that cause a problem?”
“How much will it cost us per year?”
Answers to these questions must use numbers. A feelings-based cybersecurity assessment is as useful as a feelings-based financial assessment.
The National Association of Corporate Directors (NACD) published a revised handbook on Cyber-Risk Oversight in 2017, which included an appendix specifically dedicated to the cybersecurity concerns of mergers and acquisitions. In it, the NACD calls for “modeling the financial impact of identified cyber risks,” and cautions that insufficient cyber due diligence prevents a company from knowing whether the deal should be revised, or indeed whether it should be pursued at all.
Measuring and quantifying cybersecurity risks allows them to be tied to specific critical assets or business objectives. Resources and strategies can then be adjusted as appropriate, armed with a straight-line correlation between security efforts and the company goals.
“Measure What Is Measurable, And Make Measurable What Is Not So.” – Galileo
A legitimate way to quantify an M&A activity’s cybersecurity risks is through the use of FAIR analysis. Open FAIR (Factor Analysis of Information Risk) is a global standard of The Open Group, and a widely used analytical risk model that is finding accelerated adoption across every industry.
Its disciplined approach to discovering the dollar-quantification of risks which had historically been passed off as too nebulous has made it an essential tool for anyone who aspires to fulfill the spirit of the term “due diligence.” Membership in the FAIR institute has grown steadily in recent years and currently boasts representation by “80% of the Fortune 10, 75% of the Fortune 50, and 30% of the Fortune 1000 companies.”
A critical advantage of a cybersecurity risk assessment that results in dollar-quantified risk is that, in addition to providing actionable data, it satisfies both the letter and intent of such regulatory requirements as:
- SEC Guidance on Cybersecurity Disclosures – Companies must deliberately determine “the potential materiality of any identified risk”
- Federal Financial Institutions Examination Council (FFIEC) – Calls for the use of information security “risk measurement”
- PCI Security Standards Council – Mentions FAIR as an option in its Risk Assessment Guidelines
- GDPR – Data protection impact assessment must justify “appropriate measures” or risk being considered negligent when penalties are applied
The corporate world has already reached the point that M&A decisions are considered reckless without including cybersecurity due diligence. They must now be more discriminating in how that due diligence is conducted. The next truism on the horizon is the understanding that unless cybersecurity due diligence results in dollar-quantified pictures of risk exposure, it simply is not useful.