Cyber security seems to often be ignored or at best reactive when it comes to business deals, however security has a tangible impact on business value. This is a risk that needs to be understood and mitigated, and can be a source of leverage when you’re on the buy-side or in origination.
Firstly, the business itself should have good end-point security systems and practises for keeping employees and the business network safe.
Secondly, and less well understood, the online business systems which face customers and suppliers need to be properly secured. The problem with online business systems is that they can leak information, be vulnerable to exploitation, and also facilitate lateral movement across other systems in the organisation.
There are several reasons a potential or current investor in a business would want to understand information security practises of the organisation to properly measure market risk of the investment:
Firstly, exploitation of an online business system can cost the organisation vast sums of money in short and long term impacts. From disaster recovery costs, to direct financial losses, to exfiltration of intellectual property. The average cost associated with a data breach in Australia in 2017 was $2.51M – however the financial impact to financial services, insurance and fintech businesses is disproportionately higher (about 3.5 times) than other industries.
Second, as of February this year, the Australian Notifiable Data Breaches scheme comes into effect and requires organisations to monitor systems so that they can then notify the Office of the Australian Information Commissioner of any data breaches that affect personal information under the Privacy Act. The challenge companies face in complying with the requirements of this legislation is that the costs associated with a breach are much higher – both in direct costs and in brand damage. Further to this, the OAIC has the power to levy fines of up to $1.7 million for privacy breaches.
Finally, the costs associated with remediation of security issues in any business systems that are online, whether they have been exploited or not, can be quantified in monetary terms when being measured as an operational risk against the potential costs of a breach simply by using the comprehensive data provided in this research paper.
When you start to look at the potential impact of cyber-security risks in a business, you understand the immense impact of these factors on determining the real value of a business. When it comes to investment you can immediately see how you now have a way of determining if a business is under, or over valued based on its exposure to cyber-security risk.
The most important thing to take away from this insight is that these risks are not just facing ‘software businesses’ or ‘technology companies’ – nearly every business today will have some kind of bespoke online business systems for customers, suppliers or employees, and even if there is good end-point security systems and practises for keeping employees and the business network safe (which often is not entirely the case), that bespoke software is a risk that needs to be understood.