Why experiencing a cyber breach may make for a better M&A deal

It’s not going to be a walk in the park, but experiencing a cyber breach isn’t necessarily all doom and gloom, either. 

A cyber-attack may help an industry organization up the ante on their cybersecurity — and that makes them a better purchase during an acquisition. 

In fact, experiencing a cyber breach may actually help a company increase its valuations, an expert at the NetDiligence Cyber Risk Summit said.  

“It’s actually a good thing, believe it or not, when there’s an M&A deal and you’re aware of the potential entity that you’re acquiring has actually been through a breach, because it’s very important to see what they have done about it and how they handled it,” said Daniel Tobok, CEO of CYPFER, a cyber security response team. “It’s actually a lot riskier when you are acquiring an entity that is supposedly spotless with no incidents.” 

A company that has experienced a breach is more likely to be able to deduce where their gaps in security lay and explain to a buyer what they did to better secure its assets.  

“We get a lot more comfortable [with that] than somebody saying, ‘No, we’re perfect. Everything’s great. We’ve never been hit,’” Tobok said during Sector Risk: M&A Challenges. 

Companies that assume they are secure are an example of the “gap in maturity” in the industry, he says. “That’s actually extremely dangerous because…it’s never a question of ‘if,’ it’s a question of ‘when.’”

In one M&A deal that CYPFER was involved with, the seller—a software company—was able to demonstrate how they proactively prevented countless cyberbreach attempts against their systems.  

This ultimately secured them a higher selling price.  

“They had got hit by this before and they were very proactive. They were able to show that they defended over 100,000 attempts on their back end, for example,” said Tobok. “Then, when they showed that to the buyer, and their ability to protect themselves, they actually were able to increase their selling price by 4.5%, which was quite a bit to the bottom line.”  

Most companies misunderstand the impact of cybersecurity on the evaluation of their business, he said. 

“It’s an average of 17 to 22% that can be devaluated from a particular deal if an entity is found to have, basically, certain [cyber] gaps or unresolved matters while a deal is occurring,” Tobok said.  

“It just literally tips over the scale of risk when putting together the formulas and the numbers [for the deal].” 

Feature image by iStock.com/imagedepotpro