Insights & White Papers

Evaluating cyber risks in M&A due diligence

By Business Threat Intelligence Group

Business Threat Intelligence

In an innovative approach to measuring the cybersecurity threats of an individual company from an attacker’s point of view, Threat βeta™, uses proprietary data algorithms to assess a company’s risk cluster, technology vulnerabilities, and third-party exposure in comparison to all other companies

Evaluating potential cybersecurity risks in Mergers & Acquisitions

Not long ago, due diligence around mergers and acquisitions focused primarily on financial performance and product pipelines. Today, vulnerability to cyber threats is a key element in this process – as Yahoo found when two massive cyber attacks led Verizon to reduce its purchase price for the Internet company by $350 million.

Now that all companies rely on interconnected digital data and IT systems, infrastructure security has a real impact on the value of the company to a purchaser –in terms of the cost of upgrading to more secure hardware, and of potential damage to stock price and brand equity from previous, ongoing or potential cyber attacks. According to an IBM study, the average global cost of a data breach is close to $4m – and this is before reputational damage is taken into account.

Quantifying cybersecurity risks requires a clear measure of the likelihood and severity of a cyber attack, broken down by attack type and potential financial losses. There is also a need for threat risk quantification to assess financial impact by asset type, and for benchmarking to allow comparisons within a particular industry sector and historically.

Without appropriate cyber due diligence, “the acquirer in an M&A transaction is at risk of buying the cyber vulnerability of the target company and assuming the damage and liability from incidents it suffers,” writes the American Bar Association. The acquirer may not understand the potentially devalued nature of the assets it is buying, nor the size of liabilities it may take on.

In an innovative approach to measuring the cybersecurity threats of an individual company from an attacker’s point of view, Threat βeta™, uses proprietary data algorithms to assess a company’s risk cluster, technology vulnerabilities, and third-party exposure in comparison to all other companies. With this new rating standard, a higher number the more likely an attacker can exploit a technology’s vulnerabilities. This tool can also evaluate vendors, applications, and technologies, to enable business leaders to focus on areas that pose the greatest enterprise risk.

Threat βetaTM’s proprietary algorithm was built using machine learning and industry expertise to analyze any public and private company. This can provide a direct, real-time comparison of their relative risks. For example, Marriott’s Threat βetaTM indicated that an attack was imminent – and could potentially have saved them large sums of money, while protecting brand reputation and customer trust.

For more on our Mergers & Acquisitions offerings click here.

By Business Threat Intelligence Group