Tuesday, 2 October 2018

Boardroom Briefing on Cyber Risk Exposure, in M&A and deal-flow scenarios

To understand and simplify the current Cyber Risk exposure in Mergers and Acquisitions (M&A), this article focuses on explaining the inner workings and what is currently the state of affairs in the Cyber front, from a deal-flow perspective, while being structured as an informative boardroom briefing. 
"Understanding the Cyber related risks in M&A in this digital era, is an 'investment metric' for a successful decision-making process"
Before jumping into specifics, and to put things in the right context, consider for a moment that every business entity is more or less similar to an alive ecosystem; that is composed of people, services, synergies, cooperation, products, ideas, technologies, dependencies, and advances on different fronts. Effectively, as business entities evolve, by adapting the digital model of operations, the nature of their risk exposure equally evolves due to the numerous emerging Cyber-threats. 
As an example of this evolving adaptation, it is relevant to think how back in the day, hard copies of important documents used to be kept in safes or inside rooms with a limited storage capacity, by simply having a good enough lock on the door. Nowadays, data repositories need to be protected by strong encryption and complex passwords, while Cloud storage is dynamically assigned when needed. Similarly, employees’ access to systems and documents had to be physically supervised and monitored onsite, while nowadays remote access to information and sensitive data is considered mandatory and has to be logged and automatically assessed in real-time by specialised systems. 

Hence, it is safe to say that every aspect of a businesses’ ecosystem has now evolved into having its digital equivalent, across all business needs, processes and endeavours. This ‘digital transformation’ has affected every aspect of a business entity by including computerised systems, smart automations, interconnectivity, processing of high volumes of data, and last but not least, access to communications over the Internet, utilising ground-breaking network speeds and computational power. At the same time, these innovative new technologies and models can impact the value of existing products and services offered in the industry, and this is something that it is usually referred as ‘digital disruption’. 

Consequently, safeguarding these vital moving parts of a business ecosystem, comes the challenges that many Cyber Security experts are currently trying to address, on multiple threat fronts. These challenges include but are not limited to the operational status of different types of systems, while for example eliminating downtime, handling securely any sensitive and private information, meeting legislation and regulatory compliance requirements, while ensuring confidentiality, integrity and availability of communications. 

The information security industry can provide numerous off-the-shelf solutions, processes and services to help organisations tackle all these emerging threats, but at a board level, this is something that tends to bring more confusion. Different 'Solutions' and 'Processes' that are not part of a bigger Cyber Resilience strategy, do not answer the required Leadership-level questions when trying to identify and quantify Cyber Risks under an M&A agenda

Walking through this briefing article, readers are expected to take a step back and paint the bigger picture when it comes to dealing with Cyber related challenges, while focusing on large and complex business entities.
"Despite which industry, or industries, a business entity is operating in, being in a position to pro-actively identify, assess risks and take actions to defend against emerging Cyber threats, defines one of the most important competitive advantages, not only among competitors but also against (Cyber)threat actors"
The evaluation of a business has moved beyond its traditional annual turnover, value of assets and investment plans. The Cyber Risk involved at every aspect of the business ecosystem, is what drives its reputation in the market, clientele and investors’ trust, while affecting share value and dictating in many cases the future scaling-up plans. 

Being able to Sense, Resist and React to Cyber threats as they evolve, is not only one of the vital parts for an entity’s ecosystem, but also what drives decision makers in investing, acquiring, merging, carving out, divesting, integrating, or even separating assets when/if needed. 

One of the most challenging questions being faced, that requires Cyber Security experts to be in a position to answer, is the allocation of a Cyber CapEx, along with the decision of where and how that expenditure will have the most impact and effect (and in what way), across complex business ecosystems. 

Looking at the situation at hand from an even higher level, we start seeing the Cyber risk implications across whole portfolio of companies, and not just a single business ecosystem. As an example, think from a Private Equity’s (PE) point of view the added value to know the Cyber Risk(s) across different assets (pre/post-deal) at any given point in time.

Hence, Cyber Due Diligence in M&A and deal-flow scenarios should be seen as: 
  • Being of high importance to understand the implications on how each PE’s asset(s) can be affected by emerging Cyber-threats, past or future data breaches, security issues and security vulnerabilities that affect the core technologies and services that a particular business entity relies upon. 
  • Taking this a step further, it is imperative to be able to quantify the added value to a decision being made, especially when deciding whether the entities should be acquired or invested into. Consequently, having a very good understanding of an entity’s exposure to cyber risk, it becomes a matter of significant importance, as it can indicate a deal-breaker or a promising deal moving forward. 
  • Last but not least, due to the fact modern businesses are heavily invested in generating, handling, processing and storing vast amount of information, rather than having physical assets, any kind of loss of Intellectual Property, patents, and data due to gaps in Cyber Security, can affect the business at an irrecoverable level.
Conclusively, it is undoubted that for decision makers in the boardroom it is imperative to have the proper visibility across all entities, collectively or independently, by having a clear understanding of the Cyber Risk exposure, and the holistic Cyber Security posture. This translates into having a Cyber Review (Due Diligence)process that can:
  1. First of all, adequately quantify the Cyber Risk exposure from a deal-flow perspective by taking under consideration external and internal threats, logging and monitoring capabilities, the talent pool involved, and compliance with regulations, standards and best practices in cybersecurity. 
  2. Additionally, provide the bigger picture by combining factual data originating from up-to-date external metrics, different types of historical data (which may include evidence of botnet infections, suspicious network traffic, patching cadence, etc.), threat intelligence, and any previously leaked/breached data while everything is presented in a meaningful and actionable way.
  3. Understand what is the real cost behind the investment that is required for minimising the exposure to Cyber related risks. In other words, the cost for: a) reducing risks that can affect valuation (pre-deal & post-deal), b) having an effective Cyber Security strategy in place, and last but not least, c) what future financial investment in Cyber Security is needed to protect critical business assets (such as IT infrastructure, Intellectual Property, patents) from constantly evolving Cyber-threats.
Decision makers need to be presented with facts on the Cyber front, which spawn forward-looking decisions. A clear understanding of the cyber related risks, especially when trying to decide what is the best course of action in a deal-flow investment scenario, can significantly help in minimising the risk of unexpected value erosion.

To summarise the above, such proactive approach to fully understand the current exposure to Cyber related risks in M&A, is not only a significant forward-thinking decision, it is also a metric for a successful decision-making process.

This article was originally posted here: 

No comments:

Post a Comment