If You Aren’t Considering Cost, You Are Failing At Cyber Due Diligence

From the Blog

Everyone knows due diligence for an M&A deal must include a review of the acquired company’s cybersecurity systems. But checking systems and controls isn’t enough: If you aren’t estimating the cost of a potential information security meltdown, you are failing at cybersecurity due diligence. (Just ask Marriott.)

You aren’t alone. Right now, M&A transactions are negotiated and executed every day without any principled estimates of how much a cybersecurity incident could cost. How can buyers make educated decisions and negotiate for protection without that information?

The good news is that there is a viable, straightforward, and more useful way to develop an economic model that will give buyers the tools they need to estimate costs.

To start, let’s look at cyber due diligence today. Buyers look at a potential acquisition’s existing controls and see how far the company is from meeting the cybersecurity standards it’s chosen to follow. It will also include an assessment of whether the buyer needs to supplement existing controls with more or different systems. Estimating the cost of implementing additional systems can inform negotiations over price, which is a good first step.

Even more important, though, is estimating the cost of something going wrong. If Marriott had determined that it needed to spend a few million dollars on modernizing Starwood’s cybersecurity systems, it would have had a minimal effect on the the purchase price; the underlying liability may, in fact, be a billion dollar problem.

Figuring out the value of the potential exposure requires a more sophisticated approach. No seller will give you the level of access you’d need to fully check their systems for a breach and no cybersecurity firm will guarantee they can find all potential intruders, who go to great lengths to remain undetected. Indeed, even if you could look for attackers on the system you would still miss breaches that have already happened, but haven’t yet produced a negative result. (For example, a disgruntled former employee takes home a thumb drive with valuable IP, but hasn’t yet sold it to a competitor.)

The FAIR Standard provides a method to measure cyber risk.

Instead of looking for something that you probably cannot find, it is possible to do a sound analysis of the magnitude of a breach of the acquired company’s business, and then estimate what that would cost. One increasingly accepted method to to that is by implementing the Factor Analysis of Information Risk (FAIR) standard. The model built from that will empower you to truly consider cyber costs when negotiating and give you leverage, particularly on indemnification.

Doing a FAIR analysis involves identifying the range of outcomes on a bad cybersecurity day, assessing how likely such a day is, and then generating a range of possible cost estimates. This actuarial approach provides the buyer with a means to understand its financial exposure in an acquisition, the same way that buyer looks at its financial exposure across a range of future forecasts for the economy, the job market, interest rates, and other factors relevant to the buying decision. With the relevant cybersecurity conclusions in hand, the buyer can adopt a range of mechanisms for managing that risk, including adopting a different cybersecurity approach, adjusting the price of the deal, or seeking cyber insurance coverage to indemnify against that risk.

Some will argue that this practice won’t be adopted until a regulator forces buyers into it. In fact, the Securities and Exchange Commission (SEC) has already started down that path.

The SEC has issued guidance on risk disclosures.

Last February, the SEC released guidance that requires public companies to disclose both cyber incidents and risks. They went a step further to outline what surveillance systems are needed to ensure the disclosures of cyber breaches are informed. The rubric that the SEC followed closely resembled the FAIR standard’s model for measuring cybersecurity risk. If you don’t do this now, you’re already behind. And you’re not doing true due diligence.

Need an expert to conduct a FAIR analysis of cybersecurity risk in M&A? Schedule a call with Foresight Resilience Strategies today.

Adam Bobrow