ICAEW.com works better with JavaScript enabled.

long read

Building up cyber security

Author: Marc Mullen

Published: 09 Apr 2024

building blocks with numbers code breaking from a wall orange light pouring out of hole cyber security

Cyber security is an ever-increasing issue for businesses. Following the launch of the ICAEW Corporate Finance Faculty’s guide on cyber security in M&A, Marc Mullen looks at where advisers can help.

Cyber attacks around the world have increased dramatically in recent years. According to Statista, the average total cost to a business of a data breach is now $4.45m. Latest figures from Statista estimate the global cost of cyber attacks will be $9.2trn this year and predict it will rise to $13.82trn by 2028. There is a plethora of forecasts for the pain that hackers, hacktivists, organised criminal gangs and state-sponsored actors – or competitor businesses or even insiders – will bring in the coming years. But one thing is consistent – it’s in the double digit trillions and it’s increasing.

A cyber hack can result in damage to or destruction of data, stolen money, disrupted operations, theft of IP or personal or financial data, or reputational damage. When it is possible to remedy the hack, there will be a cost for that too, as well as the direct impact to the business.

Elizabeth Huthman, a director in KPMG’s cyber security team, says: “There is no denying that the importance of cyber security in transactions has grown significantly in recent years, due to many factors. Companies and investors are more aware of the risks of cyber attacks and the need to protect themselves. The significant financial impact on companies has made them more willing to invest in cyber-security measures. Globally, governments are increasingly enacting regulations that require companies to protect their data from cyber attacks. This has made cyber security a key compliance issue for companies.”

When it comes to M&A, the incentives for perpetrators of cyber attacks increase and acquirer, target or investor is potentially more vulnerable to a breach if appropriate actions are not undertaken. The impact of a cyber attack on a deal can range from a minor impact on valuation, with a fully costed plan to improve the target’s post-acquisition ‘cyber posture’, to a major impact on valuation (that may materialise late in the process) or, in very rare circumstances, the collapse of a deal.

“As advisers, we’ve experienced several transactions where targets have been compromised during and throughout the deal phases,” says Jamie Iles, senior manager and UK cyber M&A lead at Deloitte. “Even prior to non-binding offers we have seen cyber become a no-go decision – that is happening more frequently.” Costs associated with a breach – the compromise itself and the subsequent remediation and professional services costs to recover from that breach – are all factored into a deal rationale and recovered as part of the final negotiation. “We’ve seen a compromise on the days of signing,” Iles adds. “The deal value shifted by millions of pounds as a result of the cost of recovery and remediation.” 

Looking in

Typical findings during due diligence are that a target company’s cyber-security infrastructure is not adequate to protect from attacks, or that the target has a history of attacks resulting in financial losses and damage to reputation, or the target is not compliant with relevant cyber-security regulations or the requirements of its cyber-insurance policy. The role of the adviser is to recommend actions to mitigate the identified cyber risks, as it would be with any other risk.

Cyber warning

Last November in the US, the Securities and Exchange Commission (SEC) fired a warning shot across the bows of businesses, particularly those responsible for cyber security. The SEC charged SolarWinds Corporation and its former chief information security officer (CISO), Timothy Brown, with fraud and internal control failures related to its security practices in the lead up to a major cyber attack in 2020.

Carried out by Russian hackers, who inserted malicious code into SolarWinds’ software enabling them to steal sensitive customer data, it affected thousands of organisations around the world. The SEC says SolarWinds and Brown overstated the company’s cyber-security expertise and experience as well as its ability to detect and respond to cyber attacks, and failed to disclose known cyber vulnerabilities.

“There have been a few public cases where security stakeholders, such as chief security officers and chief information security officers have been held personally liable for breaches – something that was historically unprecedented,” says Jamie Iles, UK cyber M&A lead at Deloitte. “CISOs have been pushing for cyber security to be a board-level priority for years and the news that CISOs are being held personally accountable for cyber is only increasing this. Ultimately, the significance of cyber security as a value creator means that organisations are now considering it as a budget item that will continue to grow in importance, where decisions can impact profitability, competitiveness, and regulatory compliance.”

During a transaction, many more people are gaining access to a business’s data. “When a firm is engaged in M&A, you have a unique scenario where lots of people are engaging with each other and speaking to each other, maybe for the first time,” says Adam Avards, cyber and third party risk principal at UK Finance. “There are going to be gaps and a hacker can look to exploit them.”

“You can be investing in a company where you don’t understand the hidden risk itself,” says Kenny Boyce, lead cyber auditor at Third Party Cyber Security (TPCS), an adviser on cyber risks in M&A. “Cyber is like an iceberg – 80% of the risk is hidden. If you’re not doing your cyber-security due diligence, then you are investing blindly – potentially in a company whose IP is already for sale on the dark web, for example – without understanding the risk to your capital.

“When we highlight issues, it generally won’t stop a deal from happening, but will provide insights into some contractual requirements,” he adds. “We’re saying invest in this company, understand the risk of doing so, and here are some of the legal and contractual requirements to make sure that your investment is protected, based on the risks we’ve identified.”

top 10 cyber attacks chart cubes building blocks orange malware phising spoofing

Transition service agreements (TSAs) are important when it comes to cyber security and can last several years. Michael Young, cyber transactions and strategy partner at EY-Parthenon, warned at the launch of the ICAEW Cyber Security in Corporate Finance guide at the end of January, that “meaningless phrases” such as “like-for-like services” should be avoided when it comes to IT TSAs – the terms should be specific.

Testing times

So when an adviser is brought in to look at the cyber security of a target by private equity or a trade acquirer, what is the approach? Typically, says Charlotte Devlin, cyber director at Grant Thornton, it will start with an ‘outside-in review’: “You’re basically looking at the business from the perspective of a cyber attacker. Are there any interesting red flags or open doors? It’s not a penetration test, but you can find out about the basic health of the network and the basic security that’s in place.”

At that stage advisers might be talking to people in the business and may not know the intricacies of the different cyber controls that are in place. “Having this outside-in view allows you to direct conversations in a meaningful way around ‘What’s your broader approach to cyber and why are we seeing these things?’” she says.

A cyber insurance blanket

The uptake of cyber insurance by businesses is increasingly common. As is typical with insurance products, the insurer needs its own data to accurately price it. With the cost of cyber moving upwards, and the nature of attacks ever changing, cyber insurance remains a work-in-progress.

“For small companies, cyber insurance is attractive because it can be a way of showing they take cyber security seriously and they are taking measures to prevent cyber breaches,” says Kenny Boyce at Third Party Cyber Security. “There is less take-up with bigger organisations, because they want to be masters of their own destiny.” He says it is typical of cyber insurance providers to demand more than 200 cyber-security controls, and adds: “That is not always going to work for big companies, which also have the option of self-insuring for cyber risk.”

Most cyber insurance companies will require a company to self-assess against a list of controls the insurer demands. If a claim is submitted, perhaps unsurprisingly given insurers’ modus operandi, it won’t be a simple case of the insurer paying out. If the insurer audits the business after a cyber breach and finds the right controls were not in place, it will find the company liable.

Acquirers need to look closely at cyber-insurance policies during the deal process. “Cover can stop at different points in the deal cycle depending on your policy so granting clarity on this is important,” warns Grant Thornton’s James Arthur. “And some insurance companies might be a bit choosier about who they’ll cover. So you need to understand all the information that needs to flow into the acquirer’s cyber-insurance policy that would allow the target to be covered.”

Once greater access is gained a bespoke approach to cyber due diligence is adopted; so a software business would require a different approach to a manufacturer. “Proprietary software is the intellectual property of the business, and it has to be secure in the most appropriate way because that’s really where the value sits,” adds Devlin.

For example, all – or the vast majority – of an online retailer’s revenue will come through its online customer interface. So how the business protects customer information is vital to its operations, its reputation and, ultimately, its value. For such a business, ensuring that it complies with General Data Protection Regulation (GDPR) and the payment card industry’s Data Security Standard will apply.

The ability to test cyber security policies is key. A well-crafted policy will only ever be worth the paper it is written on if it is not being implemented. “It’s about trying to get evidence that people have been implementing controls on a long-term basis,” says James Arthur, head of cyber consulting at Grant Thornton. “If there’s only a very small number of people in the bubble, they might not know the answers. Do we need to increase the number of people who know about the deal, through which you can get that flow of information? Ideally we would do some independent testing as opposed to relying on what we’ve been told.” 

Of course, increasing those on the inside of a deal must be carefully managed from a deal security point of view.

Post-deal and cyber

If the target company is going to be fully integrated into the acquirer’s business, then an acquirer must ensure that the target’s cyber security systems are compatible with its own. This can be a complex and time-consuming process.

But, says KPMG’s Elizabeth Huthman: “If the target company is going to be operated as a separate entity, then the acquirer may not need to make as many changes to the target’s cyber security systems. The acquirer will, however, still need to ensure that the target’s cyber security systems are adequate to protect the company from cyber attacks.”

Examples of post-merger issues that Huthman has seen include companies struggling to integrate systems, leaving vulnerabilities open that have an impact on not only the acquired company, but also the buyer. Inherited third-party service providers can also be an issue – she has seen compromises that have an impact on the acquired organisation’s operations. “We have also seen a company suffer a post-deal ransomware attack, where the attacker has obtained visibility of the company’s cyber-insurance policy terms, and used that in their ransom negotiation strategy.”

There are typically warranties to protect against post-deal cyber issues. These are designed to ensure that the buyer is not held liable for any cyber security issues that arise after the deal has closed. Cyber insurance post-deal is another debate to be had that may have formed part of the negotiations.

Even though cyber has moved up the agenda, in the maelstrom of the deal the lead advisers may simply hear that cyber security is broadly OK and any ‘but’ after that may not get the attention required. It’s the job of the cyber adviser to identify deal-critical and value-critical cyber issues. The cyber-security culture in the business is key. 

“What you don’t want to do is get hung up on quite minor points,” says Devlin. “Is what you’re asking for going to tell you where the real risks are? How is cyber risk addressed by the business from the top down? Do people see it as a priority? What is the cyber posture?”

Inevitable challenge

It’s a given that many businesses will face a cyber attack and many will be targeted during a corporate finance transaction. It’s important that they are well advised, and deal with the attack in such a way that demonstrates the cyber resilience of the business.

“When it comes to mid-market companies, I think they do the basics – not because it is the business enabler that it potentially is, but because they have read news stories about other companies suffering cyber attacks,” says Boyce. “They feel it is something they should be doing, but they’re not really grasping that cyber security is something they should show customers, partners and suppliers that they take seriously.”

For businesses where tech is central, such as online gambling or generative AI products, cyber security is a badge of honour to show investors or acquirers – but, says Boyce: “If you’re working in another sector that’s less tech heavy, then that’s not the case. A mid-size company deciding whether cyber is a true business enabler or just more regulation is the balance of where we sit at the moment.”

Helping hand from ICAEW

In January, ICAEW launched its Cyber Security in Corporate Finance guide, produced by the Corporate Finance Faculty and a taskforce of cyber experts, including the National Cyber Security Centre (NCSC), the British Private Equity and Venture Capital Association, the Law Society, the London Stock Exchange, the Takeover Panel, the Association of Corporate Treasurers, UK Finance, and faculty member firms BDO, Deloitte, EY, Grant Thornton, KPMG and PwC.

The guide is aimed primarily at businesses, to help them tackle cyber risks with their advisers, when raising finance, undertaking M&A or undergoing restructuring.

“The ICAEW guidance on cyber security and M&A is very much needed,” says Adam Avards (above) of UK Finance. “It is now there, and that is really going to help organisations and all stakeholders within an M&A protect themselves from the potential vulnerability that they face in that window of time.” 

At the launch event in January in Chartered Accountants’ Hall, NCSC deputy director for economy and society Sarah Lyon said that ACAs are an increasingly attractive target for threat actors, given the sensitive data they are tasked with handling.

“A breach in this sector can not only jeopardise organisations and their customers, but can also undermine trust, confidence and reputation,” she said. “I would encourage everyone from across the industry to engage with this report and the NCSC’s range of practical guidance, to help increase their cyber resilience.”

Read the Cyber Security in Corporate Finance guide

Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250