Companies can drive down their value by hiding or mishandling data breaches, according to research by the world's largest nonprofit association of certified cybersecurity professionals, (ISC)².
Researchers questioned 250 mergers and acquisitions (M&A) experts based in the US to determine how important a company's cybersecurity program and breach history is in deciding its value ahead of a potential purchase.
Findings shared in the Cybersecurity Assessments in Mergers and Acquisitions report, released today, revealed that 49% of M&A experts have seen deals derailed after due diligence brought an undisclosed breach to light.
Researchers also found that 86% of respondents said if a company publicly reported a breach of customer or other critical data in its past, it would detract from the acquisition price assigned. However, if that breach was satisfactorily addressed and fixed, and any potential fines were already paid, 88% said it would minimize the negative impact to the overall valuation.
"While every company needs to make their own decisions regarding proper data breach disclosure policies, the research clearly shows that in the context of a possible sale, not being transparent about past breaches can literally kill a potential deal, or can seriously affect the ultimate sale price," John McCumber, director of cybersecurity advocacy, North America, for (ISC)², told Infosecurity Magazine.
Having strong cybersecurity can give a company the edge over a competitor. Researchers found that 77% of experts had recommended a particular company be acquired over another because of the strength of its cybersecurity program.
The report is a reality check for companies who think a lackluster approach to cybersecurity won't diminish their stock. All respondents stated that cybersecurity audits are now a standard practice in arriving at a dollars and cents valuation, and 96% said that cybersecurity readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target.
"While most companies would rather not experience a breach in the first place, the study shows that those who deal with one, handle it well, and make adjustments to policies in order to limit their chances of a recurrence are looked at more favorably by potential buyers than those who seem doomed to repeat their mistakes," McCumber told Infosecurity Magazine.
"Each deal is different. But what our report indicates is that in order to maximize the value of a deal, the acquisition target should ideally self-audit their cybersecurity program and readiness level in advance."