It’s difficult to forget certain moments, like when a $1.5 billion deal nearly slips through your fingers. Companies looking to be acquired are learning first-hand how dramatic the effects of poor cyber defense could be on an investment. In the following case, it took two hours to forgo the ten-figure deal “just” because cyber auditors slammed one of the portfolio company’s security postures.
Watch senior experts from CYE, EQT, Francisco Partners and SANS discuss the role of security in due diligence and M&A’s
When it comes to M&As, it doesn’t take a cyber breach to stall the deal
Francisco Partners, a tech-focused private equity firm, with over $25 billion in assets under management, owned a company that was doing very well. As a result, a strategic investor expressed interest in exploring an acquisition of the company, which, at the time, was worth over a billion dollars.
One morning, as they were getting closer to signing the purchase agreement, Francisco Partners received a phone call from the strategic investor, saying that they had a team testing the security of the company and found numerous vulnerabilities and risks – to the extent that the strategic investor was uncomfortable signing the purchase agreement.
“To get a ‘no’ from a strategic that was about to acquire the business and was a very logical acquirer of that particular business, came as a shock to all of us. That was the wake up call that we needed as a team,” said Eran Gorev, Senior Operating Partner at Francisco Partners.
“Cybersecurity used to be an item on someone’s checklist in the past, but was something that was necessarily taken very seriously,” he continued. “For us, although we knew of cybersecurity risks and made investments in cybersecurity companies, this particular situation really woke us up and changed our entire approach.”
As a result, Fransisco Partners reached out to CYE to assess the actual situation of the company. “With CYE’s help, we addressed and fixed the issues that were presented to us and luckily, about six months later, we finished with a successful transaction,” added Gorev.
“There will always be a limit to how professional and how much knowledge your in-house team can have,” he said, highlighting the importance of relying on people whose profession and focus is cybersecurity.
“Being proactive, not just on implementing tools, but working with a partner that you trust on an ongoing basis… the continuity… the ongoing basis are crucial here,” he says. “Having this ability to get input from a very professional team, who has a team of ethical hackers behind it is a very powerful approach. I would recommend everyone to consider it and move forward in implementing such a strategy and approach before a breach happens or before an exit is unsuccessful because of cybersecurity issues.”
Consider your “Nth” party risks
As business continues to become increasingly interconnected and interdependent, what was once considered to be a third-party supply-chain risk seems to have been elevated to an “Nth-party” risk, with countless vendors and moving parts. A software company, for example, may be composed of multiple pieces of software and services, may be reliant on 4th, 5th or 6th party vendors, and may sit on an external cloud service provider.
When considering an M&A, the acquiring company is focusing on a variety of issues related to the business risks, including competition, market-fit and so on. Yet, you would be surprised to see how many investors dismiss cyber risks.
The key: continuous cybersecurity assessments
With the attack surfaces increasing exponentially and the rapid pace of changes in the external and internal threat landscapes, cybersecurity assessments must be conducted on a continuous basis.
“Conducting a cybersecurity assessment once a year is a good start, but certainly insufficient,” said Reuven Aronashvili, Founder and CEO of CYE. “The earlier you start integrating cybersecurity into the design architecture and considerations from the board level to the last employee in the organization, the earlier you will be able to introduce those cybersecurity considerations and the better you will be prepared for an exit. From our point of view, ‘continuous’ is the key word.”
Ultimately, organizations need to start conducting cybersecurity assessments at the speed of doing business.
Demystifying cybersecurity and translating technical risks into business risks
Boards of Directors and executive management have come to understand that cybersecurity needs to be a board-level issue, as it is intrinsically part of the value and valuation of the company.
“Cybersecurity risks cannot be an issue that is handled by someone in IT, but that senior management does not care about,” says Petter Weiderholm from the global investment organization EQT, adding that CISOs need to be “able to clearly articulate priorities and tie this to their financial exposure and quantify the risk.”
He notes that it is essential to “make sure that cybersecurity risks are treated the same way – with the same methodology and severity and significance- as all other risks that a company and the management team is used to manage.”
Petter emphasizes the need to “try to demystify it, speak a common language and invite non-technical people to understand what an investment will do for us as a company. You can understand the benefits, without being a technical person.”
In doing so, CISOs and security teams can help build the enterprise value in their companies and show the quality of their assets.