Hey CEOs, clean up your security. No one wants to acquire that risk

When preparing for acquisition, businesses should always see cyber-security as a key part of the pitch, warns Chris Gunner at Thrive

 

When preparing for investment, merger or acquisition (M&A), businesses don’t always see cyber-security as an integral part of the pitch. Smaller companies operating on tight budgets may hesitate to invest the sums to achieve a robust cyber-security posture ahead of a potential acquisition. They may be concerned that doing so could make them appear less attractive or valuable to prospective buyers. And where smaller businesses have fewer resources and less people with an acute awareness of the importance of cyber-security, they’re less likely to have proper security processes in place.

 

But ignoring a poor cyber-security posture can lead to disrupted business operations and downtime, direct financial losses and reputational damage for a merged entity. And for many investors, it’s a risk not worth taking. Weak posture can set off a number of red flags to potential investors and business partners, leading to potential deals being lost.

 

Academic research even shows that low cyber-security risk firms are more likely to be involved in M&A transactions. To prevent investment opportunities from falling by the wayside, businesses must identify both the red and green flags that firms look for when assessing a potential M&A deal and then follow some key steps to improve their security posture along the way.

 

 

The red and green flags driving decision-making

Organisations must be wary of the factors that may deter investors. A major red flag is bad governance and management within a target company. Of organisations that have fallen victim to a cyber-attack, the businesses that perform poorly after a breach are typically found to have performed poorly before the breach. And what that tells investors is that the business isn’t just suffering from technical issues.

 

Technical issues that create a potential cyber-risk are commonplace, but a well-governed and well-managed organisation can act quickly to fix the issue, with processes in place to escalate a problem for remediation. Investors will want to see that the business has effective procedures in place to address any concerns quickly and effectively.

 

In contrast, a green flag for an investor is being able to understand the risk profile of a target business and what that business will bring to the acquiring organisation. Often, the mindset among organisations potentially being acquired or targeted for investment is that they will protect data in a way that they feel is necessary for their operations. But it may not align with what an acquirer or investor wants to see.

 

Instead, the best way for a business to think about it is: “Why would someone want to acquire us?”, and effective cyber-security posture, with wise spending around it, is likely to be one of those key drivers. For example, businesses primed for investment might have signed one-year rolling agreements as part of their cyber-security technology stack, which leaves a simple and flexible environment that an acquirer or investor can easily pick through and tweak if needed once the acquiring process is complete. They will have only spent money on necessary services and solutions, with a strategic understanding of why they are making certain cyber-related decisions.

 

 

Shoring up cyber-security posture  

With a well thought-out and defined cyber-security posture, businesses can put themselves in the shop window for an M&A deal. The starting point to achieving that posture should be a holistic controls assessment, which gives an overview of everything the organisation has in play.

 

By benchmarking against each of the 18 Center of Internet Security (CIS) controls, organisations can quickly assess their current situation against recommended best practices and identify where improvements need to be made for M&A or investment. Recommendations in areas such as inventory of enterprise assets, data protection, audit log management and penetration testing can include an approximate associated cost, ensuring that expenditure on new technology or services doesn’t spiral out of control.

 

The next step to enhancing cyber-security posture is ensuring that roles and responsibilities are clearly defined. A playbook of what to do during a cyber-incident is valuable; but cyber-incidents are ever-evolving in the moment, and they require individuals to step up and take responsibility for specific actions. It’s going to become a major governance issue if confusion reigns during a breach because people haven’t agreed on what they are meant to be doing. Investors or acquirers won’t look favourably on this.

 

It again goes back to that mindset of considering what an investor would want to see. Clear responsibilities, wise spending and a commitment to improvement can make all the difference.

 

 

A business imperative ahead of a deal

A strong cyber-security posture is a business imperative when preparing for an M&A deal. Buyers are looking at how much risk they’d be inheriting, not just financials or market share. To stand out in a crowded field, businesses must demonstrate sound governance, incorporate an effective incident response and remediation plan to navigate crises, adopt transparent decision-making with defined roles and responsibilities and implement strategic decision-making around new cyber-investments.

 

It’s time to clean up security posture now, before someone else decides it’s not worth the clean-up later.

 

---

 

Chris Gunner is vCISO at Thrive

 

Main image courtesy of iStockPhoto.com and Gwengoat