Due diligence and cyber risk
The conventional due diligence process objectively examines financials and values tangible and intangible assets, such as debts, contracts and even intellectual property. Today, however, due diligence must include evaluation of cyber risk.
Considering the effect that a cybersecurity event can have on the financial position, brand value, image, reputation, and goodwill, as well as civil liability, failure to evaluate cyber risk in the course of a due diligence investigation is to court disaster.
Cybersecurity as a Measure of Financial Value
Almost every industry now has at least a minimum connection with the Internet through a website. Considering that the value of a Company can change dramatically as the result of a cybersecurity breach, due diligence which does not adequately evaluate cybersecurity will always lead to misvaluation of a Company.
Company investment in cybersecurity actually creates economic value for the Company. It is up to the accounting firm serving the Company to properly reflect the value of the cyber security efforts in the Company financials. The difficulty in quantifying cyber risk is no reason to ignore cybersecurity and no justification for failing to value cybersecurity or its lack in the Company financial reports.
Calculating the Value of Cybersecurity
Evaluating cyber risk and valuing cybersecurity is no less difficult that valuing intangible assets and goodwill. At a minimum, calculating the value of intangible assets and goodwill should incorporate considerations of cybersecurity adequacy.
For datacentric companies, due diligence efforts should carefully consider Company efforts to prevent and discover cyber incidents. Those companies with adequate cybersecurity programs tend to have more detailed metrics to determine not only performance criteria, but also the cost savings resulting from their investment in cybersecurity.
While prior cyberattacks are not a meaningful indicator of current risk, Company response to past cyberattacks can be a meaningful measure of whether the Company was properly prepared to respond quickly, comprehensively, and effectively. With respect to every identified cyberincident there are a number of questions for which due diligence requires answers. Did the Company mature and enrich its security measures as a result? Did the Company perform a holistic, companywide risk assessment? How did the Company handle customer communications? How long before the Company was able to return to normal business activities after the breach?
Assessing cyber risk
Effective cyber risk assessment must go beyond just examining the extent of malware, firewall and antivirus software maintenance. The cyber risk assessment process must evaluate the following functional domains to establish a baseline for Company resiliency in the event of a cyberattack:
- Insider threat
- Physical security
- External business operations
- Internal business operations
- Mobility
- Data security
There is more to considering cyber risk as an element of due diligence than static and technical checklists, the assessment must evaluate whether the cybersolutions for the business are proactive, effective and adaptive, so that current and future economic values are adequately and continuously sustained upstream and downstream.
Workforce mobility and mobile devices, external business operations, and insider threats are functional areas with high potential for significant damage to the Company from cyberattack. They are strong indicators of cyber risk. Due diligence efforts require more than determining the replacement cost of tangible assets and even “guesstimates” of the value of intangible assets and goodwill. The Sony breach illustrated the enormous direct damage that a cybersecurity breach can cause to the target Company. The collateral and indirect damage is incalculable.