Cyber attacks around the world have increased dramatically in recent years. According to Statista, the average total cost to a business of a data breach is now $4.45m. Latest figures from Statista estimate the global cost of cyber attacks will be $9.2trn this year and predict it will rise to $13.82trn by 2028. There is a plethora of forecasts for the pain that hackers, hacktivists, organised criminal gangs and state-sponsored actors – or competitor businesses or even insiders – will bring in the coming years. But one thing is consistent – it’s in the double digit trillions and it’s increasing.

A cyber hack can result in damage to or destruction of data, stolen money, disrupted operations, theft of IP or personal or financial data, or reputational damage. When it is possible to remedy the hack, there will be a cost for that too, as well as the direct impact to the business.

Elizabeth Huthman, a director in KPMG’s cyber security team, says: “There is no denying that the importance of cyber security in transactions has grown significantly in recent years, due to many factors. Companies and investors are more aware of the risks of cyber attacks and the need to protect themselves. The significant financial impact on companies has made them more willing to invest in cyber-security measures. Globally, governments are increasingly enacting regulations that require companies to protect their data from cyber attacks. This has made cyber security a key compliance issue for companies.”

When it comes to M&A, the incentives for perpetrators of cyber attacks increase and acquirer, target or investor is potentially more vulnerable to a breach if appropriate actions are not undertaken. The impact of a cyber attack on a deal can range from a minor impact on valuation, with a fully costed plan to improve the target’s post-acquisition ‘cyber posture’, to a major impact on valuation (that may materialise late in the process) or, in very rare circumstances, the collapse of a deal.

“As advisers, we’ve experienced several transactions where targets have been compromised during and throughout the deal phases,” says Jamie Iles, senior manager and UK cyber M&A lead at Deloitte. “Even prior to non-binding offers we have seen cyber become a no-go decision – that is happening more frequently.” Costs associated with a breach – the compromise itself and the subsequent remediation and professional services costs to recover from that breach – are all factored into a deal rationale and recovered as part of the final negotiation. “We’ve seen a compromise on the days of signing,” Iles adds. “The deal value shifted by millions of pounds as a result of the cost of recovery and remediation.” 

Looking in

Typical findings during due diligence are that a target company’s cyber-security infrastructure is not adequate to protect from attacks, or that the target has a history of attacks resulting in financial losses and damage to reputation, or the target is not compliant with relevant cyber-security regulations or the requirements of its cyber-insurance policy. The role of the adviser is to recommend actions to mitigate the identified cyber risks, as it would be with any other risk.

During a transaction, many more people are gaining access to a business’s data. “When a firm is engaged in M&A, you have a unique scenario where lots of people are engaging with each other and speaking to each other, maybe for the first time,” says Adam Avards, cyber and third party risk principal at UK Finance. “There are going to be gaps and a hacker can look to exploit them.”

“You can be investing in a company where you don’t understand the hidden risk itself,” says Kenny Boyce, lead cyber auditor at Third Party Cyber Security (TPCS), an adviser on cyber risks in M&A. “Cyber is like an iceberg – 80% of the risk is hidden. If you’re not doing your cyber-security due diligence, then you are investing blindly – potentially in a company whose IP is already for sale on the dark web, for example – without understanding the risk to your capital.

“When we highlight issues, it generally won’t stop a deal from happening, but will provide insights into some contractual requirements,” he adds. “We’re saying invest in this company, understand the risk of doing so, and here are some of the legal and contractual requirements to make sure that your investment is protected, based on the risks we’ve identified.”

Transition service agreements (TSAs) are important when it comes to cyber security and can last several years. Michael Young, cyber transactions and strategy partner at EY-Parthenon, warned at the launch of the ICAEW Cyber Security in Corporate Finance guide at the end of January, that “meaningless phrases” such as “like-for-like services” should be avoided when it comes to IT TSAs – the terms should be specific.

Testing times

So when an adviser is brought in to look at the cyber security of a target by private equity or a trade acquirer, what is the approach? Typically, says Charlotte Devlin, cyber director at Grant Thornton, it will start with an ‘outside-in review’: “You’re basically looking at the business from the perspective of a cyber attacker. Are there any interesting red flags or open doors? It’s not a penetration test, but you can find out about the basic health of the network and the basic security that’s in place.”

At that stage advisers might be talking to people in the business and may not know the intricacies of the different cyber controls that are in place. “Having this outside-in view allows you to direct conversations in a meaningful way around ‘What’s your broader approach to cyber and why are we seeing these things?’” she says.

Once greater access is gained a bespoke approach to cyber due diligence is adopted; so a software business would require a different approach to a manufacturer. “Proprietary software is the intellectual property of the business, and it has to be secure in the most appropriate way because that’s really where the value sits,” adds Devlin.

For example, all – or the vast majority – of an online retailer’s revenue will come through its online customer interface. So how the business protects customer information is vital to its operations, its reputation and, ultimately, its value. For such a business, ensuring that it complies with General Data Protection Regulation (GDPR) and the payment card industry’s Data Security Standard will apply.

The ability to test cyber security policies is key. A well-crafted policy will only ever be worth the paper it is written on if it is not being implemented. “It’s about trying to get evidence that people have been implementing controls on a long-term basis,” says James Arthur, head of cyber consulting at Grant Thornton. “If there’s only a very small number of people in the bubble, they might not know the answers. Do we need to increase the number of people who know about the deal, through which you can get that flow of information? Ideally we would do some independent testing as opposed to relying on what we’ve been told.” 

Of course, increasing those on the inside of a deal must be carefully managed from a deal security point of view.

Even though cyber has moved up the agenda, in the maelstrom of the deal the lead advisers may simply hear that cyber security is broadly OK and any ‘but’ after that may not get the attention required. It’s the job of the cyber adviser to identify deal-critical and value-critical cyber issues. The cyber-security culture in the business is key. 

“What you don’t want to do is get hung up on quite minor points,” says Devlin. “Is what you’re asking for going to tell you where the real risks are? How is cyber risk addressed by the business from the top down? Do people see it as a priority? What is the cyber posture?”

Inevitable challenge

It’s a given that many businesses will face a cyber attack and many will be targeted during a corporate finance transaction. It’s important that they are well advised, and deal with the attack in such a way that demonstrates the cyber resilience of the business.

“When it comes to mid-market companies, I think they do the basics – not because it is the business enabler that it potentially is, but because they have read news stories about other companies suffering cyber attacks,” says Boyce. “They feel it is something they should be doing, but they’re not really grasping that cyber security is something they should show customers, partners and suppliers that they take seriously.”

For businesses where tech is central, such as online gambling or generative AI products, cyber security is a badge of honour to show investors or acquirers – but, says Boyce: “If you’re working in another sector that’s less tech heavy, then that’s not the case. A mid-size company deciding whether cyber is a true business enabler or just more regulation is the balance of where we sit at the moment.”