How do you measure the value of a company? Market capitalisation, EBITDA, cashflow, asset value, IP and goodwill are just some of the traditional metrics. But nowadays, there is a new addition, a company’s cyber security posture.
Until recently, considered by many to be a peripheral issue for companies outside of the technology sector, the exponential rise in the use of data and online activity means even the most mundane organisation can be a target for hackers.
As high-profile cases in the past months attest, the result of a cyber breach is not just inconvenience. Serious reputational damage, a diminished share price, and hefty fines from a regulator are just some of the fallout the victim can expect.
One organisation taking a lead on the issue of cyber security is EY, which provides a comprehensive assessment of a company’s cyber defences alongside its traditional assurance, tax, transaction and advisory services.
What has become apparent from EY’s assessments is the inextricable link between the value of a company and the robustness of its cyber security. Information which has proven invaluable for its clients who are wishing to buy or sell a business.
“There are a number of areas where cyber security really plays a significant part, both in terms of the ongoing value of an organisation and at any point where there is M&A activity,” said Faizul Ali, EY’s lead partner for cyber security for transaction advisory services in the UK and Ireland business.
“We’ve been bringing new cyber-led perspectives to inform investment decisions across a deal lifecycle. By blending cyber security diligence with financial, operational and technology deal diligence, we’ve successfully become market leaders doing more cyber diligence than any other advisor supporting corporates, private equity houses or other investor in the M&A market”.
The level of malicious online activity targeting a particular company is often heightened during a period of M&A activity as communication and information shared between the firm’s component parts, and external advisors, increases.
The consequences of a breach during this time can be severe and if not discovered in time, could result in a firm paying significant amounts to buy a compromised business.
Paul Harragan, a senior cyber security specialist within operational transaction services at EY gave a recent example of where his team uncovered a potentially deal destroying security leak.
"Our investigations found vulnerabilities that potentially exposed trademark information. Our findings were confirmed when the breached data was discovered online eroding the deal value completely.”
Not every transaction risk or issue flagged during EY’s cyber diligence is going to be a deal breaker. But crucially for the acquiring company or fund, the more problems raised during the assessment, the more money can be knocked off the purchase price or the required time-bound risk mitigations and fixes added to the term sheets.
The same logic applies to funds wishing to sell off assets, as a company deemed to have very robust cyber defences will command a premium.
EY’s cyber diligence is therefore tailored to each company – factoring in size, sector, business model, the specific threat landscape and their cyber security strategy – but also covering the duration of the firm’s life cycle.
Harragan explained: “If a private equity house decides to spin the company off in five years, they would need to monitor the threat landscape and make sure the company’s defences don’t erode during this time so that when it comes to selling, the fund can show they have been monitoring and protecting their investments. Doing so acts as a value driver and enhances the company’s credibility and worth.”
Organisations want to buy a business in good health. They do not want ambiguity when spending billions of pounds acquiring a company. It is all about certainty.
Ali continues: “Our point of differentiation is we are cyber security specialists, but we are deal professionals first.”
“We can take our cyber expertise and contextualise it within a deal making scenario, which a boutique cyber or technology firm would be unable to do. Cyber security diligence shouldn’t be seen in isolation – it has to be done in context of the wider business.”
EY is a global leader in assurance, tax, transaction and advisory services. www.ey.com