Between election security, corporate data breaches, and ongoing discussions around data privacy, cybersecurity is top of mind across all industries. The scope of a cyber incident's financial and reputational impact could not be clearer to businesses today. A recent study found that over the course of 2018, the average total cost of a data breach increased by 6.4% and the amount of data lost or stolen in an average data breach increased by 2.2%.
But cybersecurity isn't only an internal concern. Investors are growing increasingly wary of investing in an organization that later goes on to experience a costly breach, or inheriting an organization's security vulnerabilities by way of mergers or acquisitions. In fact, cybersecurity now represents a significant threat to deals. Recent research conducted by Forescout Technologies found that 53% of IT and business decision makers reported that their organizations uncovered a material cybersecurity incident that risked a potential M&A deal. The Securities and Exchange Commission has also highlighted the cybersecurity risks that investors face on an ongoing basis.
Perhaps one of the most notable examples of the impact of cybersecurity on an investment is the Marriott/Starwood hack, which was made public in 2018. Before Marriott and Starwood even began talks around the acquisition, hackers stole roughly 500 million Starwood customer records, including payment information. Without conducting a thorough due diligence process, Marriott unknowingly inherited Starwood's vulnerabilities. When the incident came to light in 2018, the result was negative press for Marriott resulting in reputational harm, new legal liability and a decline in share price.
Investors everywhere must start to incorporate cybersecurity diligence into their investment decision-making process, whether they are large institutional investors with a long-term horizon, private equity firms taking an ownership stake in a business, or venture firms providing early stage funding. Furthermore, some investors will find that they want to continuously monitor the cyber risk of an investment during the lifetime of the investment.
Because evaluating cyber risk is still a relatively new concept, there are a few best practices that organizations should consider, as well as common mistakes to avoid. Let's explore a few areas below.
1. Failure to identify due diligence responsibilities
During the diligence stage of the investment, there may be confusion around which party is responsible for surfacing and mitigating potential security issues. Let's be clear – the responsibility lies with the investor, who must conduct robust diligence to validate and verify the potential investment's claims. What's also clear is that the investment target should be an active participant in this phase of the process, providing supporting information about the organization's security performance over time. By doing so, the target can showcase the organization's commitment to managing enterprise risk, which should increase enterprise value.
2. Not asking the right questions
For years, cyber diligence consisted of one question: "Have you ever experienced a breach?"
For most targets, the answer to that question is a resounding "no," regardless of the veracity of that statement. Investors need to go beyond this simple question, exploring, for example, the target's data protection strategy, the types of technologies it has in place to mitigate risk, executive leadership, and employee training, in order to gain a broader understanding.
3. Untapped data
While asking more questions is important, investors must also seek out quantitative, objective security performance information. Historically, the due diligence process has largely relied on qualitative data based on written or in-person interviews with executives and board members, which frequently produces subjective, emotionally-driven results. When evaluating the potential risk an organization may inherit through an investment, it's best to avoid gut feelings and focus on the facts. While there is value to hearing directly from executives, qualitative analysis should be supplemented with objective, straightforward measurements of security successes and challenges throughout the period. Security ratings provide significant, relevant insight here.
4. Security monitoring
Cybersecurity is dynamic and things can change quickly. Investors often assess the status of an investment's cybersecurity environment at the beginning of the relationship and fail to monitor the environment throughout the investment period. Failing to continuously monitor the security environment leads to a lack of visibility into risk and potential threats. Just as sales teams report on leads and revenue quarterly, cybersecurity teams should monitor and report on the state of the organization's security strategy to interested parties on an ongoing basis.
5. Lack of business context
More often than not, those driving the due diligence processes are not cybersecurity professionals, which means that they need cybersecurity metrics to be contextualized against potential business impact. For example, it is not enough to share that one million records were exposed in a data breach; investors also need to know the losses the business incurred as a result. Investors should be sure to ask questions that frame these metrics within the context of business impact, such as, "How will this impact stock price, revenue, and our brand's reputation?"
Investing is a big leap that can see huge returns, or massive losses, for either organization involved, and the evaluation of cyber risk is part of due diligence. Investors and their potential investments should work together to streamline communication, better define material risks and breaches, and leverage objective, quantifiable data to understand the risk of a target organization's cybersecurity posture. By leveling the due diligence process and recognizing the significant impact of risk on reputation, revenue, and beyond, investors will be in a better position to determine whether their target is a low-risk, cyber-sound investment, or whether it may be best to walk away.
—Stephen Boyer, BitSight CTO and member of the CNBC Technology Executive Council