As private equity company Francisco Partners was about to close the sale of a portfolio company valued at more than $1bn to a strategic investor, the California-based firm received a jarring phone call. Experts examining the portfolio company’s cybersecurity had found such a long list of vulnerabilities that the investor was thinking about backing out of the deal, recalled Francisco Partners’ senior operating partner Eran Gorev. “It came as a shock to all of us,” Gorev said.
It is also further proof that cybersecurity is no longer relegated to a long list of details to check during the due diligence process but is now a key indicator of a company’s overall health and potential. As such, it is playing a larger role in company valuations, mergers and acquisitions and IPOs. Signs that point to this change include the SEC stepping up its enforcement of disclosure requirements for cyber-attacks and the recent announcement from ratings agency Moody’s that it is developing a system to better evaluate a company's cyber-risk.
We are also seeing that the critical and often stressful weeks and months around business deals are an attractive time for hackers to strike. However, many companies still do not understand how cyber-risk is tied to business milestones, and the due diligence for assessing such risks is not well established.
Here are some actions investors, managers and entrepreneurs can take to protect their interests and companies when making an acquisition, taking on a partner or going public.
Quantify the Cyber-Risk
When companies look to make an investment or acquisition or even go public, they evaluate the overall business risk. This should also consider cybersecurity risks and put a dollar amount on them, influencing the final valuation.
This requires cybersecurity experts working hand-in-hand with the leadership team to figure out not just what digital vulnerabilities may exist but what assets they actually could lead hackers to and what this would potentially mean for the business and its reputation.
In one of the few examples in which data is publicly available, in 2017, Verizon shaved $350m off of its offer to buy Yahoo after it emerged that the company had suffered data breaches that would be expensive to fix. More recently, an IBM report concluded that a data breach at Uber resulted in a 30% decrease in the price Softbank paid for a stake in the ridesharing company. At the same time, if done well, cybersecurity could add upside to a company’s potential value, so this should also be taken into account.
Look Beyond Potential Breaches
Taking a thorough look at how a company handles its cybersecurity can offer clues about its overall discipline and culture. For example, if a company’s experts are checking out a potential partner’s security and it becomes clear they have not patched vulnerabilities detected months ago, it could be a warning that they don’t move quickly and efficiently in other areas as well.
When an organization is up for its own IPO or other milestone, it should keep this in mind as well; potential investors will be not just looking at how secure its data is, but how its cybersecurity operations run and at the level of talent on the team.
Don’t Forget About Your Suppliers
With the growth of supply chain attacks, all potential backdoors to former vendors, partners and customers that could be left hanging open to hackers must be closed and secured. This is another step that requires close cooperation between an organization’s cyber experts and the business managers leading the due diligence process.
Hire Outside Experts
As soon as a company begins thinking about undergoing an IPO, sale or any other milestone, it should start working with outside professionals to run an audit on its cybersecurity program, similar to hiring an accountant to run a financial audit. Even if a company recently ran a cybersecurity evaluation, it is important to do it again as it prepares for an IPO or merger and acquisition. This is because it is such a sensitive time for the company, and threats are always changing.
Fortunately for them, Francisco Partners brought in a team of cybersecurity experts at the last minute to help address the risks in the portfolio company it was trying to sell and eventually closed the deal, Gorev said. But he revealed that the incident was a “wake-up call” for them and should be for anyone in the business world today. It should now be clear that cybersecurity needs to be fully integrated into a company’s valuation, whether it is being bought or sold or going public.