A New York Stock Exchange (NYSE) survey released last year found that 85% of executives would think twice about acquiring a target if they discovered a major vulnerability during a security audit.
The report, Cybersecurity and the M&A Due Diligence Process, surveyed 276 directors and officers of public corporations to determine how cybersecurity threats affected mergers and acquisitions (M&A). It found that 64% of directors’ due diligence process includes a security audit of their target’s software applications, while compliance audits (83%) and security policies (86%) were of even greater concern.
M&A practices beginning to change
The report states that, until recently, “acquiring companies mainly focused on the evaluation of a target’s fundamentals, which primarily comprised financials, consumer sentiment, and strategy. Cybersecurity and IT due diligence was carried out in less than 50% of deals.
“Modern M&A practices are only now beginning to change, despite the well-known impacts of the mere discovery of software application vulnerabilities on the profitability and reputation of an organization, as well as the significant disruption to productivity and business processes in general.
“Buying a company translates to buying data. And buying data means you are buying past, present, and future data security problems.”
Indeed, 22% of respondents said that the occurrence of a high-profile data breach at an acquisition target would deter them from pursuing the deal. Another 52% of respondents said they’d only proceed with the deal if the purchase price was reduced significantly. This was seen in practice during Verizon’s takeover of Yahoo. The original deal was worth $4.83 billion, but after Yahoo disclosed two massive data breaches, the price was cut by $350 million.
The NYSE writes that, although a high-profile data breach might not be a complete barrier to a merger or acquisition, directors “may well be advised to pay heed to their cybersecurity efforts.”
Commenting on the report, Information Security Buzz claimed that organizations’ growing concern over cybersecurity may cause major deals to fall through in the coming years.
Get help in securing your organization
To help protect your organization from a range of cyber threats, you should implement an ISO 27001-compliant information security management system (ISMS). ISO 27001 is the international standard that describes best practice for an ISMS, providing a framework for securing and protecting confidential, personal, and sensitive data.
If implementing an ISMS seems like a daunting task, our ISO27001 Get A Lot Of Help Package gives you everything you need. It combines essential ISO 27001 tools and resources – including consultancy, implementation guides, and a license for the risk assessment tool vsRisk™ – with online training and five days of Mentor and Coach consultancy at each key stage of your implementation project.