Editor's note: The following is a guest article from Ray Rothrock, executive chairman of RedSeal, partner emeritus at Venrock, author of "Digital Resilience: Is Your Company Ready for the Next Cyber Threat?" and board member of the Nuclear Threat Institute.
The recession caused by the coronavirus pandemic had a chilling effect on economic activity, as companies determined next steps. For some, the solution to weather the contraction was to limit spending, while others accelerated innovation and technology adoption.
But externally facing enterprise efforts slowed dramatically. Global transaction values in the third quarter of 2020 plummeted 53.2% year-over-year due to the COVID-19 pandemic, while the total number of deals fell 29.1%, according to S&P Global Market Intelligence.
The good news is that there is nowhere to go but up. There is likely to be significant pent up demand in the coming year for M&As. In fact, a global survey of 250 senior M&A executives conducted by law firm White & Case LLP found dealmakers are optimistic about the outlook for M&A activity, with three-quarters saying they expect M&A activity to increase in their region in the coming year.
Due diligence plays an important role in the M&A process and company valuation. Given the devastating impact that COVID-19 is having across nearly every industry, most target companies will go through a comprehensive appraisal and due diligence process that will last anywhere from a few months to a full year.
With COVID-19 still on our minds, a review of healthcare policies, employee attendance policies and related topics heretofore not considered in M&A will surface.
As a venture capitalist, I have been through the acquisition process 34 times. Acquirers and their agents, including auditors, lawyers and bankers, are now in the process of compiling an extensive evaluation checklist that includes everything from software license reviews and financial audits to building inspections, inventory counts and intellectual property assessments.
And while the process feels exhausting and thorough, the one all-too-commonly overlooked item that I believe should be central to every M&A due diligence checklist is cybersecurity.
Cyber risk can threaten M&A
Only six years ago, almost four in five dealmakers weren't testing cybersecurity as part of their due diligence process, according to Freshfields Bruckhaus Deringer. Despite the many horror stories of data breaches and cybercrimes wreaking havoc and resulting in massive losses, some acquirers pay only the most cursory attention when it comes to evaluating cybersecurity risks.
"Data vulnerabilities can seriously threaten the value of a business," according to a recent report from accounting firm Grant Thornton. As cyber risks facing organizations intensifies, an organization's posture and strategy regarding its cybersecurity is becoming a critical part of the due diligence process for M&As.
What is learned during the due diligence process can directly affect the price paid for a company. Back in 2017, Verizon Communications reduced its original offer for Yahoo! by $350 million after learning about two massive cyberattacks at the company. It's simple — the greater the risk, the lower the price.
The potential fallout from a breach can be huge, causing the affected company to plummet in value. And, it isn't just the target company that needs to be concerned.
Imagine acquiring a company with an infected network, and then connecting your company to that flawed network. That can introduce serious issues into a previously protected company.
It is incumbent on businesses to fully grasp the potentially devasting impact that the acquisition of an additional network can pose, and to fully evaluate the potential liability and loss of value and reputation that a weak network infrastructure might produce. It's imperative for due diligence to include full disclosure and assessment of a company's entire network and security architecture.
A cyber diligence call to action
Both acquiring and target companies have a lot to lose from poorly managed risk. The digital transformation is well underway for every company. As such every company is dependent on their network, cloud and all things digital.
The digital infrastructure represents a target and a risk to every organization, and therefore attacks and successful exfiltration of data can have a direct impact on the target company's sale price, while network weaknesses can be introduced into the acquiring company.
As a result, the resilience of a company's network is an increasingly vital — and highly valuable — asset. For auditors, lawyers and bankers, this is a call to action to establish a methodology to measure the digital resilience and cyber-readiness of target companies.
Indeed, it is impossible to perform thorough due diligence and accurately price a company without a deep understanding of their cyber risk.
Assessing the risk
The number of breaches of corporate networks continues to rise dramatically — even in the face of increased cybersecurity investment and products designed to thwart cyberattacks.
In 2019, bad actors racked up $3.5 billion in cyber thefts, a dramatic increase from $800.5 million in 2014, according to the FBI's Internet Crime Complaint Center. The most recent attack launched through SolarWinds impacting over 18,000 organizations illustrates that even trusted vendors can unknowingly inject risk into an organization.
Something is clearly amiss. So how is a company to understand its cyber risk? Just asking the question isn't good enough. Research shows that C-level executives are either over-confident, confused or simply do not have the metrics in place to accurately state their cyber risk.
In 2017, a BAE Systems survey of C-suite level executives and IT decision-makers found a wide gap between the two groups when it comes to assessments of cyberthreats, costs and responsibilities.
Specifically, C-suite executives estimated that on average a cyber breach would cost their organization $5.9 million. However, IT professionals estimate that figure at $27.2 million. That's $20 million off the mark, and this disconnect should be a huge red flag for anyone undertaking a due diligence process.
Digital resilience is key
So how should businesses value – or devalue – based on cyber risk? Businesses can look first to their cybersecurity investment.
While most companies direct the bulk of their investment to threat prevention and identification, these are not the most important indicators of a corporate network's health in the M&A due diligence process.
Rather, the key factor is the resiliency of the data infrastructure. What data is protected? How well is the infrastructure understood? Is it set up as intended? Does it adhere to industry best practices? How quickly and completely it can recover from attack? What are the attitudes of and the level of training the people in charge of the infrastructure?
It is these factors that fully capture and quantify risk.
It is in every buyer's best interest to clearly understand digital resilience during the M&A process. When buying a house, only the foolhardiest would finalize a transaction without requiring a full inspection, including a thorough evaluation of the foundation, roof, HVAC system and plumbing—not to mention the location of fire doors, circuit breakers and gas shut-off valves. And this is to say nothing about the insect infestation one might have and need to identify. We need to apply this rigor to the cyber world.
With the high stakes of M&A, cyber due diligence should be a priority, not an afterthought. It's really not that hard, but it takes time, commitment and leadership to make it happen