CISO

Auto Added by WPeMatico

It’s time to better identify the cost of cybersecurity risks in M&A deals

Rob Gurzeev
Contributor

Rob Gurzeev is CEO and co-founder of CyCognito, a company focused on giving CISOs the advantage over attackers.

Over the past decade, a number of high-profile cybersecurity issues have arisen during mega-M&A deals, heightening concerns among corporate executives.

In 2017, Yahoo disclosed three data breaches during its negotiation to sell its internet business to Verizon [Disclosure: Verizon Media is TechCrunch’s parent company]. As a result of the disclosures, Verizon subsequently reduced its purchase price by $350 million, approximately 7% of the purchase price, with the sellers assuming 50% of any future liability arising from the data breaches.

While the consequences of cyber threats were soundly felt by Yahoo’s shareholders and widely covered in the news, it was an extraordinary event that raised eyebrows among M&A practitioners but did not fundamentally transform standard M&A practices. However, given the high potential cost from cyber threats and the high frequency of incidents, acquirers need to find more comprehensive and expedient methods to address these risks.

Today, as conversations accelerate around cybersecurity matters during an M&A process, corporate executives and M&A professionals will point to improved processes and outsourced services for identifying and preventing security issues. Despite the heightened awareness among financial executives and a greater range of outsourced solutions for addressing cybersecurity threats, acquirers continue to report increasing numbers of cybersecurity incidents at acquired targets, often after the target has already been acquired. Despite this, acquirers continue to focus due diligence activities on finance, legal, sales and operations and typically see cybersecurity as an ancillary area.

While past or potential cyber threats are no longer ignored in the due diligence process, the fact that data breaches are still increasing and can cause negative financial impact that will be felt long after the deal has closed highlights a greater need for acquirers to continue to improve their approach and address cyber threats.

The current lack of focus on cybersecurity issues can be partially attributed to the dynamics of the M&A market. Most middle-market companies (which constitute the nominal majority of M&A transactions) will typically be sold in an auction process where an investment bank is engaged by the seller to maximize value by fostering competitive dynamics between interested bidders. In order to increase competitiveness, bankers will typically drive a deal process forward as quickly as possible. Under tight time constraints, buyers are forced to prioritize their due diligence activities or risk falling behind in a deal process.

A typical deal process for a private company will move as follows:

  • Selling company’s investment bankers contact potential buyers, providing a confidential information memorandum (CIM), which contains summary information on a company’s history, operations and historical and projected financial performance. Potential buyers are typically given three to six weeks to review materials before deciding to move forward. Unless there is a previously known cybersecurity issue, a CIM will typically not address potential or current cybersecurity issues.
  • After the initial review period, indications of interest (IOI) are due from all interested bidders, who will be asked to indicate valuation and deal structure (cash, stock, etc.).
  • After IOIs have been submitted, the investment banker will work with the sellers to select top bidders. Key criteria that are evaluated include valuation, as well as other considerations such as timing, certainty of closing and credibility of buyer to complete the transaction.
  • Bidders selected to move forward are typically given four to six weeks after the IOI date to drill deeper into key diligence issues, review information in the seller’s data room, conduct a management presentation or Q&A with the target’s management and perform site visits. This is the first stage when cybersecurity issues could be most efficiently addressed.
  • Letter of Intent is due, when bidders reaffirm valuation and propose exclusivity periods wherein one bidder is selected on an exclusive basis to complete their due diligence and close the deal.
  • Once an LOI is signed, bidders typically have 30-60 days to complete the negotiation of definitive agreements that will outline in detail all terms of an acquisition. At this stage, acquirers have another opportunity to address cybersecurity issues, often using third-party resources, with the benefit of investing significant expenses with the greater certainty provided by the exclusivity period. The degree to which third party resources are directed toward cybersecurity relative to other priorities varies greatly, but generally speaking, cybersecurity is not a high-priority item.
  • Closing occurs concurrent with signing definitive agreements, or in other cases, closing occurs after signing often due to regulatory approvals. In either case, once a deal is signed and all key terms are determined buyers can no longer unilaterally back out of a deal.

In such a process, acquirers must balance internal resources to thoroughly evaluate a target with moving quickly enough to remain competitive. At the same time, the primary decision makers in an M&A transaction will tend to come from finance, legal, strategy or operating backgrounds and rarely will have meaningful IT or cybersecurity experience. With limited time and little background in cybersecurity, M&A teams tend to focus on more urgent transactional areas of the deal process, including negotiating key business terms, business and market trend analysis, accounting, debt financing and internal approvals. With only 2-3 months to evaluate a transaction before signing, cybersecurity typically only receives a limited amount of focus.

When cybersecurity issues are evaluated, they are heavily reliant on disclosures from the seller regarding past issues and internal controls that are in place. Of course, sellers cannot disclose what they do not know, and most organizations are ignorant of attackers who may already be in their networks or significant vulnerabilities that are unknown to them. Unfortunately, this assessment is a one-way conversation that is reliant on truthful and comprehensive disclosures from sellers, lending new meaning to the phrase caveat emptor. For this reason, it’s no coincidence that a recent poll of IT professionals by Forescout showed that 65% of respondents expressed buyer’s remorse due to cybersecurity issues. Only 36% of those polled felt that they had adequate time to evaluate cybersecurity threats.

While most M&A processes do not typically prioritize cybersecurity, M&A processes will often focus squarely on cybersecurity issues when known issues occur during or prior to an M&A process. In the case of Verizon’s acquisition of Yahoo, the disclosure of three major data breaches led to a significant reduction of purchase price, as well as changes in key terms, including stipulations that the seller would bear half the costs of any future liabilities arising from these data breaches. In April 2019, Verizon and the portion of Yahoo that was not acquired would end up splitting a $117 million settlement for the data breach. In a more recent example, Spirit AeroSystems’ acquisition of Asco has been pending since 2018 with a delayed closing largely due to a ransomware attack on Asco. In June 2019, Asco experienced a ransomware attack that forced temporary factory closures, ultimately causing a 25% purchase price reduction of $150 million from the original $604 million.

In both the case of Spirit and Verizon’s acquisitions, cybersecurity issues were largely addressed through valuation and deal structure, which limits financial losses, but does little to prevent future issues for a buyer, including loss of confidence among customers and investors. Similar to Spirit and Verizon’s acquisitions, acquirers will typically utilize structural elements of a deal to limit the economic losses. Various mechanisms and structures — including representations, warranties, indemnifications and asset purchases — can be utilized to effectively transfer the direct economic liabilities of an identifiable cybersecurity issue. However, they cannot compensate for the greater loss that would occur from reputational risk or loss of important trade secrets.

What the Spirit and Verizon examples demonstrate is that there is quantifiable value associated with cybersecurity risk. Acquirers who do not actively assess their M&A targets are potentially introducing a risk into their transaction without a mitigation. Given a limited timeline and the inherently opaque nature of a target’s cybersecurity issues, acquirers would benefit greatly from outsourced solutions that would require no reliance upon, or input from a target.

The scope of such an assessment ideally uncovers previously unknown deficiencies in the target’s security and exposure of business systems and key assets, including data and company secrets or intellectual property. Without such knowledge, acquirers go into deals partially blinded. Of course, industry best practice is to reduce risk. Adding this measure of cybersecurity assessment is an excellent practice today and likely a mandatory requirement in the future.

Powered by WPeMatico

Eight trends accelerating the age of commercial-ready quantum computing

Ethan Batraski
Contributor

Ethan Batraski is a partner at Venrock, where he invests across sectors with a particular focus on hard engineering problems such as developer infrastructure, advanced computing and space.

Every major technology breakthrough of our era has gone through a similar cycle in pursuit of turning fiction to reality.

It starts in the stages of scientific discovery, a pursuit of principle against a theory, a recursive process of hypothesis-experiment. Success of the proof of principle stage graduates to becoming a tractable engineering problem, where the path to getting to a systemized, reproducible, predictable system is generally known and de-risked. Lastly, once successfully engineered to the performance requirements, focus shifts to repeatable manufacturing and scale, simplifying designs for production.

Since theorized by Richard Feynman and Yuri Manin, quantum computing has been thought to be in a perpetual state of scientific discovery. Occasionally reaching proof of principle on a particular architecture or approach, but never able to overcome the engineering challenges to move forward.

That’s until now. In the last 12 months, we have seen several meaningful breakthroughs from academia, venture-backed companies, and industry that looks to have broken through the remaining challenges along the scientific discovery curve. Moving quantum computing from science fiction that has always been “five to seven years away,” to a tractable engineering problem, ready to solve meaningful problems in the real world.

Companies such as Atom Computing* leveraging neutral atoms for wireless qubit control, Honeywell’s trapped ions approach, and Google’s superconducting metals, have demonstrated first-ever results, setting the stage for the first commercial generation of working quantum computers.

While early and noisy, these systems, even at just 40-80 error-corrected qubit range, may be able to deliver capabilities that surpass those of classical computers. Accelerating our ability to perform better in areas such as thermodynamic predictions, chemical reactions, resource optimizations and financial predictions.

As a number of key technology and ecosystem breakthroughs begin to converge, the next 12-18 months will be nothing short of a watershed moment for quantum computing.

Here are eight emerging trends and predictions that will accelerate quantum computing readiness for the commercial market in 2021 and beyond:

1. Dark horses of QC emerge: 2020 will be the year of dark horses in the QC race. These new entrants will demonstrate dominant architectures with 100-200 individually controlled and maintained qubits, at 99.9% fidelities, with millisecond to seconds coherence times that represent 2x -3x improved qubit power, fidelity and coherence times. These dark horses, many venture-backed, will finally prove that resources and capital are not sole catalysts for a technological breakthrough in quantum computing.

Powered by WPeMatico

6 CISOs share their game plans for a post-pandemic world

Oren Yunger
Contributor

Oren Yunger is an investor at GGV Capital, focused on enterprise IT infrastructure, development tools and cybersecurity. He was previously chief information security officer at a SaaS company and a public financial institution.

Like all business leaders, chief information security officers (CISOs) have shifted their roles quickly and dramatically during the COVID-19 pandemic, but many have had to fight fires they never expected.

Most importantly, they’ve had to ensure corporate networks remain secure even with 100% of employees suddenly working from home. Controllers are moving millions between corporate accounts from their living rooms, HR managers are sharing employees’ personal information from their kitchen tables and tens of millions of workers are accessing company data using personal laptops and phones.

This unprecedented situation reveals once and for all that security is not only about preventing breaches, but also about ensuring fundamental business continuity.

While it might take time, everyone agrees the pandemic will end. But how will the cybersecurity sector look in a post-COVID-19 world? What type of software will CISOs want to buy in the near future, and two years down the road?

To find out, I asked six of the world’s leading CISOs to share their experiences during the pandemic and their plans for the future, providing insights on how cybersecurity companies should develop and market their solutions to emerge stronger:

The security sector will experience challenges, but also opportunities

The good news is, many CISOs believe that cybersecurity will weather the economic storm better than other enterprise software sectors. That’s because security has become even more top of mind during the pandemic; with the vast majority of corporate employees now working remotely, a secure network has never been more paramount, said Rinki Sethi, CISO at Rubrik. “Many security teams are now focused on ensuring they have controls in place for a completely remote workforce, so endpoint and network security, as well as identity and access management, are more important than ever,” said Sethi. “Additionally, business continuity and disaster recovery planning are critical right now — the ability to respond to a security incident and have a robust plan to recover from it is top priority for most security teams, and will continue to be for a long time.”

That’s not to say all security companies will necessarily thrive during this current economic crisis. Adrian Ludwig, CISO at Atlassian, notes that an overall decline in IT budgets will impact security spending. But the silver lining is that some companies will be acquired. “I expect we will see consolidation in the cybersecurity markets, and that most new investments by IT departments will be in basic infrastructure to facilitate work-from-home,” said Ludwig. “Less well-capitalized cybersecurity companies may want to begin thinking about potential exit opportunities sooner rather than later.”

Powered by WPeMatico