• Jake Olcott, VP of Communications and Strategic Partnerships at BitSight


• 20.11.2018 06:15 am
undisclosed

I read with interest the article in the FT that looked at how Cyber security efforts have turned proactive after sophisticated attacks and detailed what organisations are now proactively doing to prevent attacks. In particular the article homed in on how concerns have now spilled over into mergers and acquisitions, where cyber security has become a much greater focus for due diligence. Indeed, a spokesperson from Linklaters stated how deals have not gone through because of the standard of IT security of the target. Here at BitSight, we have also seen this. Companies have insight into financial, legal and other risks during the due diligence process, but are oftentimes left in the dark when it comes to cyber risks. In fact in a survey, law firm Freshfields Bruckhaus Deringer found that 90% of people believed that cyber breaches could reduce the value of a potential acquisition.

Traditionally, companies have approached cyber risk in acquisitions by issuing questionnaires to the target company -- unfortunately, these methods are time consuming and reflect only a “snapshot in time” view. Organisations are increasingly leveraging alternative methods -- including non-intrusive Security Ratings -- to obtain information about cyber risk. For many companies, having this data on the front-end of the deal helps drive better assessment of the risk, but also the "total cost of ownership" -- how much it would cost to improve an organisation's security to the acquiring company's standards.

This is an issue that will become even more significant in the months ahead, as investors outside of the M&A world will be paying attention to the security posture of their investments. Just last week, the SEC announced plans to conduct more robust oversight into corporate disclosure policies with respect to cyber risk.