Would you value a potential investment or acquisition target differently if you knew that it had been breached or was at high risk for cyber losses? The $350 million reduction in Yahoo’s valuation after it revealed a two-year-old breach during its sale to Verizon was a large-scale example of the impact of a breach on valuation. However, adverse cyber events can have massive repercussions for organizations of any size.
Corporate efforts that prevent, detect, correct and recover from cyber events are critical in determining the immediate and long-term value of an investment or acquisition. The costly fallout of a successful cyber attack or data breach on a company’s intellectual property, innovation and reputation now demands a more immediate and higher level of due diligence around cyber risk. Examining the financials and strategic strengths of a target does not provide evidence of a company’s ability to defend itself from a cyber event or demonstrate resilience to mitigate a breach and return to business as quickly as possible.
Regulators Put Companies on Notice
Cyber risk due diligence is not only smart business, it’s now being mandated by regulatory bodies such as the OCC, FFIEC, and SEC. The Securities and Exchange Commission, for example, now requires businesses to disclose cyber risks and demands that boards and senior executives describe “the nature of the board’s role in overseeing the management of [cybersecurity] risk.”
In 2018, the SEC put its teeth behind its ultimatums with fines and investigations. It fined Yahoo $35 million for not disclosing its breach in SEC filings and for failing to alert customers for more than two years. For the first time, the SEC enforced a rule requiring investment firms to have an anti-identity theft program after a phishing scheme where attackers impersonated connected vendors to gain passwords and access to personal information of thousands of Voya Financial Advisors customers. Voya agreed to a $1 million settlement.
In late 2018, the SEC released an investigation report about nine public companies that had experienced cyber fraud. It recommended that internal controls be reassessed to protect against threat actors who impersonate executives or third-party vendors to score millions of dollars in fraudulent wire payments.
The New York Department of Financial Services (NYDFS) Cybersecurity Regulations also now require organizations to implement substantial efforts to secure data and manage third-party risk. Investment companies, banks & trust companies, licensed agents & brokers, mortgage companies, and insurance companies operating under New York’s Banking, Insurance or Financial Services Laws were required to implement numerous security controls by March 1, 2019, including:
- Network activity monitoring and audit trail
- Application security
- Data retention
- Access monitoring
- Encryption
- Third-party risk management
Read our latest on the NY DFS deadlines.
Assessment is Key to Due Diligence
While compliance with regulatory requirements is a driver, the assessment of security gaps and implementation of a more robust security program tied to business goals will ultimately preserve corporate value. How can acquiring or investing firms maximize due diligence to minimize risk and improve outcomes?
- Whether the need is to protect an investment firm’s own vault of data, aggregate the cyber risk of its portfolio, or understand the cyber risk of a target and its vendors, an enterprise security assessment is the best way to take a panoramic approach to identifying vulnerabilities.
- Don’t rely on the promise of quick and easy off the shelf security ratings that monitor IP reputation or use only external scans. They can identify that unpatched vulnerabilities exist, but don’t reveal why they exist, such as whether policies and procedures to mitigate risk are in place or whether they’re being followed. Read our white paper to learn more.
- Look beyond IT to assess the role of insider threat. People are a key vulnerability and thus a major target for hackers, who employ sophisticated phishing, social engineering, business email fraud, and ransomware techniques. Ongoing education and testing of employees is critical. Read “Is Your Greatest Risk Hiding in Plain Sight?”
- Consider vendors and third parties a significant factor in a target’s business risk and assess them as part of its digital ecosystem. Do the vendors have security postures and controls that meet the target company’s policies? Learn how to confront third-party risk – white paper.
- Systems integration can present unique, complex and costly challenges to mitigate cyber threats – and become a critical factor in determining asset valuation. Does a prospective acquisition target have a comparable security posture and similar priorities as the acquiring firm?
Viewing cyber risk across the enterprise can be achieved in an efficient, affordable and scalable manner. CyberFortis-TSC is an industry leader with certified teams that are experienced in assessing for gaps and vulnerabilities, developing processes and procedures, and advising on data storage and encryption. Our Secure Halo assessment platform simplifies risk assessment and provides board-level summaries, detailed reports for management, and a secure audit trail of security controls within organizations, portfolio companies and their respective third parties.
Partnering with an experienced security provider can improve the return on cybersecurity spending by generating valuable pre- and post-deal intelligence, and improving security postures.