New research from ISC² finds that acquiring companies pay close attention to cybersecurity readiness and breach history.

The Cybersecurity Assessments in Mergers and Acquisitions report, which surveyed 250 U.S.-based professionals with mergers and acquisitions (M&A) expertise, was created to discover how cybersecurity programs and breach history factor into the dollars and cents valuation of companies during a potential purchase. 96% of respondents indicated that cybersecurity readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target.

Survey respondents unanimously agreed that cybersecurity audits are not only commonplace but are actually standard practice during M&A transaction preparation. The research also found that the results of such due diligence can have a tangible effect on the outcome of a deal, both in terms of overall value and even whether a deal is completed or not.

Among the major findings:

  • 77% of M&A experts have recommended one acquisition target over another based on the strength of a cybersecurity program
  • 57% of survey respondents said an acquiring company they work with has been surprised to learn of an unreported data breach during the audit process; Nearly half (49%) indicated that they had witnessed a merger or acquisition agreement fall through as a result
  • 52% of respondents indicated that the share value of publicly-traded clients has been negatively affected as a result of an acquired company’s post-acquisition data breach

“Businesses are facing unprecedented challenges in protecting their digital infrastructure, and that of their customers, because of the sophisticated, targeted and voluminous attacks that can be launched against them at any time,” said Wesley Simpson, COO, (ISC)2. “Our report indicates that it’s not simply whether or not a company has suffered a data breach that is most important to potential acquirers, but how the breach was remediated, and the steps taken to improve processes. Business leaders and financiers now understand that sound cybersecurity practices are critical to the bottom line and having the right skilled professionals in place to implement them is a solid insurance policy against devaluation.”

When Breaches Happen

86% of the respondents said if a target company publicly reported a breach of customer or other critical data in its past, it detracts from the acquisition price assigned. However, if that breach was satisfactorily addressed and fixed, and any potential fines already paid, 88% said it would minimize the negative impact to the overall valuation.

How Value is Assessed

Of the 96% of respondents who indicated that cybersecurity readiness is a factor in the valuation assessment, 45% said a standard plus/minus value is assigned to a cybersecurity program in a pass/fail manner. 53% said the value that the cybersecurity program represents can range widely based on the specifics of the program.

When it comes to the actual infrastructure associated with cybersecurity programs, 95% of respondents indicated that it is a tangible part of the calculation of value. 82% said the stronger the infrastructure, including soft assets such as risk management policies and security awareness training programs, the higher the value assessed. 52% said that if the audit reveals weak security practices, the cybersecurity program as a whole is considered a liability. 63% of respondents said that any information technology tools are factored in as assets.

Looking Forward

While already a ubiquitous part of the audit process, survey respondents foresee cybersecurity playing an increasingly prominent role moving forward. While 54% consider cybersecurity audits to be vital to the M&A process already, 42% believe the importance will only increase over the next two years.