The issue of cybersecurity continues to climb the ranks of topics that concern board directors. Cybersecurity, and how a company manages it, affects the value of a company. Strong cybersecurity programs are an asset and weak cybersecurity programs are a liability.

A company’s cybersecurity program is a major factor in acquisitions. Acquiring companies look at a company’s prevention and remediation efforts when evaluating the cybersecurity portion of the company’s assets. Cybersecurity audits are quickly becoming a staple in the due diligence process for acquisitions. Before finalizing an acquisition, companies want assurance that the company being acquired has a CISO and manages cybersecurity programs well. The lack of a CISO and a strong security program can be a reason that a deal falls through.

Boards should be aware of the importance of developing sound cybersecurity policies and strategies and should be able to communicate them well to maximize organizational value.

The Importance of a CISO and Sound Cybersecurity Practices

With the rise in sophistication of cybercrime, businesses continue to face new and unique challenges in protecting their digital infrastructures. Cybercrime is increasing in volume and criminals are targeting their victims more carefully. A cyber breach could occur at any time, whether a company is prepared for it or not.

Corporate leaders must be prepared with sound cybersecurity practices, which are critical for a company’s bottom line. Having the right skilled professionals, such as a CISO on the team who can implement the right cybersecurity strategies, provides a solid boost to a company’s value.

A CISO can be a stand-alone position or fall under the auspices of another member of the executive team who is willing to be responsible for information security. The role of the CISO includes analyzing, formulating and mitigating information security risks, forging alliances and partnerships, and supporting the business operations team.

Cybersecurity Is a Factor in Acquisitions

According to an (ISC)2 survey of 250 professionals who are skilled in mergers and acquisitions in the United States, 96% of cybersecurity professionals said that cybersecurity readiness figures into their calculations. They agreed that it’s standard practice to assess cybersecurity practices in the value of a potential acquisition target.

The survey also indicated that 77% of companies make M&A recommendations based on the strength of the target company’s cybersecurity program. All 250 of the respondents said that cyber audits are now standard practice for M&A due diligence and 95% of them said that they consider cybersecurity programs to be a tangible asset. Just under half of the respondents said that if they were to discover an undisclosed breach, it would take a deal off its tracks.

Questions around cybersecurity have a tangible effect on the outcome of a deal in terms of the overall value and whether the deal gets completed. Around 77% of the M&A experts have recommended one acquisition target over another based on the strength of their cybersecurity program.

In other statistics, 57% of the survey respondents said that they had worked for companies where they discovered an unreported data breach during the audit process. Just under half of those companies said that they were aware of merger and acquisition deals that fell through as a result of it. A little more than half of those surveyed indicated that post-acquisition data had negatively affected the share value of publicly traded clients.

Assessing the Value of Cybersecurity

Approximately 45% of the respondents reported that they assign a plus or minus value to each cybersecurity program and grade them as “pass” or “fail.” The experts also commented that the specifics of a company’s cybersecurity program factored widely in the value they assigned to a company.

About 95% of the respondents indicated that they felt the actual infrastructure of cybersecurity programs were a palpable part of the calculation process. Around 82% of the experts also said that they considered soft assets such as risk management policies and cybersecurity development and training programs in assigning higher values to companies.

To demonstrate how cybersecurity is a factor in a company’s value, about 52% of companies said that they were aware that a publicly traded client’s share price went down after an acquired company experienced a data breach after the acquisition.

How Companies Handle Breaches Has an Impact on M&A Transactions

Among the respondents, 86% stated that if a company they were targeting reported a data breach of customer or other critical information that had happened in its past, it would take away from the acquisition price. However, if the company addressed the breach, fixed the issues that had caused it and paid their fines, 88% of the experts said that it would minimize the negative impact of the overall valuation.

Around 63% of the respondents stated that they considered information technology tools as assets. Only 52% indicated that they would consider the cybersecurity program a liability if the audit revealed weak security practices.

The experts also noted that they would consider an acquisition less of a liability if the company invested in technology and resources to bolster its cybersecurity program. Along the lines of how to add value to cybersecurity programs, the experts suggested that there are a few relatively inexpensive strategies that companies can take. Experts recommended that companies focus on soft assets like documented risk management policies and security awareness training programs.

Concluding Thoughts on the Importance of Cybersecurity Programs 

It’s likely that cybersecurity will continue to play a larger role in the audit process and the due diligence process for mergers and acquisitions. Cybersecurity audits are already a standard and vital process in merger and acquisition transactions. Around 42% of the respondents surveyed said that the importance of cybersecurity audits would almost certainly increase over the next two years.

The (ISC)2 survey makes it clear that well-planned cybersecurity programs add solid value to companies that are in the throes of merger and acquisition deals. The statistics in the survey make a great case for board directors and senior executives to encourage other leaders to invest more heavily in strengthening their cybersecurity programs.