#SECURITY: Non-disclosure of Data Breaches Negatively Affects Acquisitions and Mergers

A recent study has shown that a company’s cybersecurity program, and how it has handled any history of data breaches, has a significant impact on its monetary sales value.

New research has revealed that companies can drive down their value by hiding or mismanaging data breaches.

The report, by (ISC)2, asked 250 US-based mergers and acquisitions experts looking at the importance of a company’s cybersecurity program, and how much of an impact its breach history has on its valuation ahead of a potential acquisition.

Their findings revealed that 49% of those experts have seen deals completely derailed after due diligence brought an undisclosed breach to light. Furthermore, 86% of respondents said that if a company publicly reported a breach of customer or other critical data in its past, it would detract from the allocated acquisition price.

However, if that breach was satisfactorily addressed and fixed, and any potential fines were already paid, 88% said it would minimise the negative impact to the overall valuation.

John McCumber, director of cybersecurity advocacy for North America at (ISC)2, acknowledged that “every company needs to make their own decisions regarding proper data breach disclosure”, but warned those tempted to conceal breaches from prospective buyers:

“The research clearly shows that in the context of a possible sale, not being transparent about past breaches can literally kill a potential deal or can seriously affect the ultimate sale price.”

100% of respondents in the study stated that cybersecurity audits are now a standard practice in arriving at a valuation.

77% said that they had previously recommended one company be acquired over another because of the strength of its cybersecurity program, and 96% said that cybersecurity readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target.

McCumber concluded that the strength of company’s extant cybersecurity program, and its integrity in dealing with any data breaches, is therefore integral to its sales value:

“While most companies would rather not experience a breach in the first place, the study shows that those who deal with one, handle it well, and make adjustments to policies in order to limit their chances of a recurrence are looked at more favourably than those who seem doomed to repeat their mistakes.”

“Each deal is different. But what our report indicates is that in order to maximise the value of the deal, the acquisition target should ideally self-audit their cybersecurity program and readiness level in advance.”


We’re now live at PrivSec Global!
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Register your virtual seat today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

Secure your seat

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.