By 2022, cybersecurity ratings will become as important as credit ratings when assessing the risk of business relationships, Gartner analysts believe.
They also predict that, by 2020, 60% of organizations engaging in M&A (mergers and acquisitions) activity will consider cybersecurity posture as a critical factor in their due diligence process.
With the mess that the Yahoo acquisition ended up to be due to previously unknown/undisclosed data breaches, it’s easy to see how that second prediction might come true.
The agreed-upon purchase price of Yahoo dropped $350 million due to the security breach that was revealed after its M&A announcement with Verizon, they analysts noted, and pointed out that this did not include any public reputation loss or brand image loss, something that must also be taken into consideration.
Any type of M&A activity results in changes in threat landscape, risk appetite and employee culture. It’s, therefore, imperative that security and risk management leadership participate in M&A execution, they say.
The analysts advise them to perform a variety of risk and security assessments on the to-be-acquired entity, as well as asking for findings from previous similar assessments. These should include assessments tied to physical, data, application, and network security, policies/standards, disaster recovery, business continuity and incident response.
Aside from being helpful during the negotiation process, the results of these assessments can jump-start plans for a quick remediation of unearthed vulnerabilities or security gaps once the deal is concluded.
Finally, the analysts also pointed out that cybersecurity due diligence effort in M&A has to be tailored by taking in consideration the participants’ industry, the value of assets, the regulatory environment and deal size.
Independent cybersecurity ratings
Security and risk management leaders are beginning to give more weight to the risks associated with the complex ecosystems that are an integral part of digital businesses: digital supply chain risk, third-party (and fourth- and fifth-party) risk, and so on.
“Historically, it has been fairly straightforward to assess the financial risk of business relationships by leveraging business and credit rating services such as Standard and Poor’s, Dun and Bradstreet, and Moody’s. With regard to technical and cyber risk, there has been no standard framework or approach — or rather, there have been too many, with a minimal level of commonality or consistency,” the analysts pointed out.
The demand is obviously there, but fulfilling it such a way that customers can be confident in the ratings is difficult. For one, the information based on which the ratings are calculated can’t be just from public sources.
“Like credit ratings services, it may be the case that providers will need the cooperation of their targets of evaluation, providing a deeper level of inside information than is currently incorporated into scoring models,” they noted.
Secondly, a cybersecurity ratings provider must convince customers that its analysis and scoring methodology provides results that are consonant with the actual situation, as well as that they haven’t been unjustifiably influenced by the evaluated entities.
The analysts believe that, over the next six years, these services will become a mandatory precondition for a growing number of business relationships and part of the standard of due care for providers and procurers of services.
“These cybersecurity scores will impact the degree to which other companies engage in high-value business with the organization. These scores will have an impact on cost/availability of cyberinsurance,” they opined.
Security and risk management leaders should, therefore, evaluate cybersecurity ratings services and think about investing in them as part of the internal risk management program.
“This will enable organizations to be proactive and manage the overall risk of digital business ecosystems, identifying issues before partners do,” the analysts concluded.