#SECURITY: Non-disclosure of Data Breaches Negatively Affects Acquisitions and Mergers

A recent study has shown that a company’s cybersecurity program, and how it has handled any history of data breaches, has a significant impact on its monetary sales value.

New research has revealed that companies can drive down their value by hiding or mismanaging data breaches.

The report, by (ISC)2, asked 250 US-based mergers and acquisitions experts looking at the importance of a company’s cybersecurity program, and how much of an impact its breach history has on its valuation ahead of a potential acquisition.

Their findings revealed that 49% of those experts have seen deals completely derailed after due diligence brought an undisclosed breach to light. Furthermore, 86% of respondents said that if a company publicly reported a breach of customer or other critical data in its past, it would detract from the allocated acquisition price.

However, if that breach was satisfactorily addressed and fixed, and any potential fines were already paid, 88% said it would minimise the negative impact to the overall valuation.

John McCumber, director of cybersecurity advocacy for North America at (ISC)2, acknowledged that “every company needs to make their own decisions regarding proper data breach disclosure”, but warned those tempted to conceal breaches from prospective buyers:

“The research clearly shows that in the context of a possible sale, not being transparent about past breaches can literally kill a potential deal or can seriously affect the ultimate sale price.”

100% of respondents in the study stated that cybersecurity audits are now a standard practice in arriving at a valuation.

77% said that they had previously recommended one company be acquired over another because of the strength of its cybersecurity program, and 96% said that cybersecurity readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target.

McCumber concluded that the strength of company’s extant cybersecurity program, and its integrity in dealing with any data breaches, is therefore integral to its sales value:

“While most companies would rather not experience a breach in the first place, the study shows that those who deal with one, handle it well, and make adjustments to policies in order to limit their chances of a recurrence are looked at more favourably than those who seem doomed to repeat their mistakes.”

“Each deal is different. But what our report indicates is that in order to maximise the value of the deal, the acquisition target should ideally self-audit their cybersecurity program and readiness level in advance.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/