It happens all too often: a buyer pulls out of a deal or lowers their bid after discovering a seller’s cybersecurity shortcomings during the M&A process.
And the issue is only getting worse due to a recent surge in ransomware attacks. The volume of information security incidents has soared in recent years, and over half of key decisionmakers say they have encountered a cybersecurity issue that put a deal in jeopardy, according to Forescout Technologies.
Whether a seller suffers a breach years before a deal or during one, the consequences can be devastating. We’ve seen buyers walk away or drastically alter the deal structure including by reducing the purchase price.
Fortunately, a thoughtful approach to cybersecurity can help sellers stay on track even through an untimely incident. Amid a significant increase in cyber incidents, and ransomware attacks in particular, here is what to know when preparing for a sale.
First and foremost, sellers should disclose any previous or ongoing cyber incidents as soon as possible. An undisclosed data breach is considered an immediate deal-breaker for 73% of decision-makers surveyed by Forescout. In addition to being viewed as an honest and transparent deal partner, you can prove that such incidents have been adequately handled in the past and that you have systems in place to appropriately address them in the future.
A buyer will want to know whether you are aware of any prior cybersecurity incidents, how they were detected, and how they were handled.
Too few middle-market businesses have the proper infrastructure and processes in place to deter and respond to cyber incidents.
You can take steps to implement specific cybersecurity measures, including by implementing the appropriate antivirus software, acquiring insurance, and hiring ethical hackers to conduct penetration testing. Think about the extent of damage that would occur in the event of a security breach. Would you pay a ransom in the event of a ransomware attack?
All these aspects should be considered well in advance of any M&A transaction. Make sure your IT team is instrumental to the deal process.
Prepare for Due Diligence
Considering most organizations today rely on digital data and network systems, it is no surprise that cybersecurity is becoming a significant part of the due diligence process.
Buyers are taking note of growing ransomware threats and cybersecurity concerns, with 81% of decision-makers saying they are focusing more on a target’s cybersecurity approach than in the past, according to Forescout.
Sellers should be prepared to review:
- Digital assets, understanding the network and system architecture as well as data flows
- Prior incidents and incident-response capabilities
- Ongoing vulnerabilities including third-party vendors
- Internal cybersecurity programs and regulatory compliance
- Ability to withstand an incident and the potential scope of damage that would occur
A breach can even affect the due diligence process itself. For sellers, it can be difficult to produce financial statements when your systems are down, and this can delay a deal by weeks or months.
Cyber incidents are disruptive, but they can truly wreak havoc during the M&A process, causing delays and financial losses or even sinking deals.
Sellers should be transparent about any incidents that have occurred, have processes in place to handle issues in the future, and be prepared to thoroughly review cybersecurity issues during the due diligence phase of a deal.
As businesses rely more and more on network architecture and digital data, technology is becoming central to every deal.
At Copper Run, we have seen ransomware and cybersecurity issues impact deals from the perspective of both buyers and sellers. We understand what it takes to prepare for a rigorous sale process and would be happy to ensure your deal goes according to plan.
Kaity Templin is a Vice President at Copper Run and focuses on client services and business development.