Cyber security

When preparing a divestment, vendors run the risk of having their business undervalued as they are often asking buyers and investors to make decisions without a complete picture of the security of their key assets. The reason? Cyber security tends to be an afterthought when a divestment is being planned. This results in partial or inconsistent information being made available to the buyer by a sell-side management team that’s underprepared for scrutiny on the topic.

It is therefore important that sellers are proactive in their approach to cyber security during divestment and start planning early so that:

1. There is a security ‘value story’ to tell in the form of evidence of continuous proactive improvements that safeguard value drivers; and
2. The value story has been documented in a ‘buyer-friendly’ manner enabling buyers to clearly determine whether the seller’s approach to security has a value impact.

These are key steps to take to assist in the development of a ‘value story’ for cyber security:

Plan your security divestment journey – Ensure you’re thinking about security early in your sale planning, otherwise you risk leaving it too late to address issues that could negatively impact your sale price if uncovered by buyers.

Identify gaps that could erode value – Put yourself in the buyer’s position. Is there anything in your current or historical approach to cyber security that buyers could cite as having a negative impact on the value of your business. For example:

• Does your business have known gaps?
• Is the security capability fit for purpose and able to support growth and likely investment thesis?
• How does the security capability benchmark against peers?
• Has the business suffered an incident that will need to be disclosed to buyers?

Create a cyber value story - Buyers will want to see that there have been concerted efforts to improve security capability and that you are aware of and have a plan to address the areas for improvement that remain. Having gaps in your security capability is a concern for buyers but another altogether more concerning message is that there is not a well-documented and budgeted plan to resolve them. Draft your improvement roadmap, deliver against it and plan for the future.

Assess security spending – Sellers are seldom able to provide an exact figure of what they are spending/investing on security, how much they intend to spend in the future and whether they believe they can improve security with their current budget. You need to assist buyers in identifying the numbers they require to make value estimations or else you run the risk of them adding large additional cost items within their estimations as a means of reducing their risk of unforeseen costs after acquisition. Therefore, think like the buyer and assess your security cost against your plan and see if you can deliver the improvements for your proposed budget.

Document the cyber value story – Data rooms often lack cyber security information, even if security of the business or client data is one of the key means of attracting customers. Sellers need to be proactive and lead buyers to the answers by clearly documenting the extent of their cyber security capability. As a minimum a buyer would want a clear view of:

• The cyber strategy or improvement plan;
• The cyber budget;
• An overview of your team or the individuals responsible for security;
• Outline of security technology and its coverage; and
• Key security third parties and the services being leveraged.

Sellers may be of the opinion that good cyber security, though a ‘nice to have’, doesn’t generate value and therefore can be deprioritised in favour of more obvious value levers. However, should buyers identify a security approach that is not fit for purpose, lacking the required processes, technology and controls, the risk is that they factor the cost of addressing the shortcomings (or worse, a potential breach) into their offer price.

Buyers are interested in well-rounded management teams. However, management is often missing an opportunity to show potential buyers they have extensive knowledge of the business, even in areas not traditionally expected of them within a transaction. Don’t miss out on the chance to show buyers the value your security capability brings to the business, because if they are left to decide by themselves they could be misinterpreting the true value of your business.