Bringing cyber risks into the light

When you consider the financial and reputational risks, it has never been more important for investors and boards to know a company’s level of cyber and data exposure. Yet, whilst many business balance sheets and growth projections look healthy, their cyber-hygiene is often underinvested, contains hidden vulnerabilities and has evidence of compromise – which may be unknown even to existing management.

This week, Ian McCaw, leader of EY’s Transactions Cyber Team, discusses how bringing cyber and data risks into the light can give deal teams an edge and help protect deal value.

Hidden horrors

Cyber-security is a new technological Darwinism: a “survival of the fittest” for the 21st century. In this ecosystem, the predators have the upper-hand, with the ability to adapt at speed to new vulnerabilities and achieve success from landing just one blow out of millions of attacks. In contrast, businesses tend to be complex and evolve much slower, with vulnerabilities persisting across their entire operating model – and within their third-party supply chain.

Many organisations harbour these vulnerabilities and hidden technological issues with the potential to significantly devalue or bring down the whole business. One of two events tends to bring these problems to light…..

  1. A direct cyber-attack. The Wannacry attack infected 400,000 computers globally, most notably NHS systems. During the summer a less-publicised malware called NotPetya caused over $1 billion in losses. As I write, a growing botnet of 2m+ hacked device called “Reaper” may soon target firms.
  2. M&A – during and after a deal. Less than 10% of deals executed today factor cyber-security into investment decision making, not to mention post-deal value creation, integration or carve-out activities.

Given the speed at which the predatory threat is growing and evolving, any problems are unlikely to stay hidden for long. According to Ponemon Institute research, companies suffer an average of 130 breaches per year – a 27.4% increase since 2016 and almost double the total five years ago. In 2015 there were approximately 4 million ransomware variants, today there are over 1 billion with self-propagating strains – like Wannacry – constantly assailing organisations’ systems.

Clear consequences

As we’ve seen recently, affected organisations can face severe financial and reputational damage as a consequence of an attack, including a substantial hit to shareholder value. From May 2018, organisations who fail to implement effective cyber security measures will also face fines of up to £17m (or 4% of global turnover) under the EU General Data Protection Regulation (GDPR). In addition the EU Network & Information Security (NIS) directive also mandates that essential service operators be ready to deal with cyber threats, including utilities, transport, health and digital organisations. No organisation is immune. Manufacturing has become the industry most susceptible to cyber-attack – even ahead of financial services.

Clearly it’s vital that we identify cyber and data risks as soon as possible. But what about in a deal situation?

Shining a light on cyber-risks

Dark diligence, or cyber diligence, requires specialist skills to determine cyber risks and transaction impacts and, contrary to common misconceptions, this can be performed using lawful techniques before a deal is executed. Of course, when the deal completes, a buyer can perform a security test or penetration test on key IT systems and applications, but this is the digital equivalent of trying to crack open the bank vault after you have bought the bank.  Such techniques are unlikely to capture evidence of historic compromise. Successful attackers may already hold the keys to your network and, therefore, any new security system installed in the newly acquired business.  This makes it possible for the newly acquired business to be used as a platform to compromise the parent firm – something we have come across before.

Another misunderstanding is that existing management will have a complete view of cyber security in their own business. During Q&A a confident CIO may present the latest IT security certificate, risk log or compliance report.  Management may not be intentionally misleading, but experience suggests they often have a blind spot when it comes to their own business. It’s certainly a red flag if management – and especially IT management – are defensive and question why they might be attacked, claim to have other priorities or treat cyber security as anything other than essential.

Cyber questions

There is no one-size-fits-all approach for cyber diligence because each business operating model is different. But deal teams certainly need to know the latest cyber risks and how these affect critical infrastructure, data, supply chain, intellectual property and brand.

Do you know the following cyber risk indicators for your business/last transaction?

  • Does the board receive and act upon active cyber metrics and reporting?
  • Are there vulnerabilities or indicators of compromise over the last 12 months?
  • Is the business heavily dependent on IT system and data to generate profits? If so, which are the critical systems?
  • Does the business outsource provision of IT, applications or data?
  • What level of oversight does it have on key suppliers’ cyber security, particularly operations in your value chain which have been outsourced such as clinical research organisations, co-manufacturers, co-packers, call centres, shared service centres IT service providers who will probably be representing your business with products and services branded using your logos?
  • What would be the impact of a breach on key information assets?
  • Do you know what data regulations apply to the business and the potential impact for non-compliance?
  • What level of cyber security investment has been made in the last 12 months?

The techniques and specialist skills for performing cyber diligence to address the questions above, and more, are available today. In many transactions cyber diligence findings have become a potential deal-stopper or materially impacted the valuation.

Sophisticated buyers could actually become capitalistic “super-heroes” for cyber security – driving real change where industry standards and regulators have failed and providing the catalyst for businesses to properly address cyber risks. Money talks and, if sophisticated buyers increase their cyber diligence, this will have a positive ripple-effect across businesses and our economy. Capital events could be the seed of evolution that drives technological survival.