How to factor cybersecurity concerns into a business valuation
Rarely a day goes by without a headline about a major data breach or ransomware attack. Amid the COVID-19 pandemic, cyber risks will likely continue to grow as businesses increasingly rely on remote workers and cloud-based technologies. So, it’s critical for business valuation professionals to assess such risk when valuing businesses.
Although hackers often target large businesses because “that’s where the money is,” the threat of cyberattacks is an issue for businesses of all sizes. In fact, smaller businesses are increasingly targeted because they tend to have less robust cybersecurity programs.
Think beyond direct costs
The potential impact of weak cybersecurity on business value is far-reaching. It extends beyond the expense associated with responding to and mitigating breaches. For example, a cyberattack can destroy the value of intellectual property that relies on secrecy, such as customer lists, know-how, designs, R&D documents, manufacturing processes and business plans.
Likewise, organizations that possess sensitive customer or patient data — such as Social Security numbers, addresses, credit card accounts and health information — can face devastating liabilities if this information is stolen. A significant data breach can also damage a company’s reputation, reducing the value of its goodwill. A cybercriminal can even create a risk of physical injury or product defects by tampering with machinery or equipment.
Evaluate cybersecurity measures
When gathering data about a business, valuation experts ask questions about cybersecurity protocols. A logical starting point is determining whether the business has conducted a risk assessment and adopted a cybersecurity framework. The National Institute of Standards and Technology (NIST) and similar frameworks provide checklists of best practices to assess cyber risks.
For example, consider ransomware attacks in which cybercriminals encrypt or steal a company’s data and hold it for ransom. The threat is so serious that the NIST has developed a separate Cybersecurity Framework Profile for Ransomware Risk Management. It outlines basic preventive steps that companies can take to protect themselves against ransomware, such as:
- Always use antivirus software,
- Keep computers fully patched,
- Block access to ransomware sites,
- Allow only authorized apps,
- Restrict personally owned devices on company networks,
- Educate employees about social engineering, and
- Develop and implement rigorous backup and incident recovery plans.
Valuation experts can use this framework to gauge cyber risks. All else being equal, a company that’s effectively implemented these steps is worth more than one with less effective controls in place — or none at all.
Quantify the impact on value
Once potential cyber risks are exposed, the expert must quantify their impact on business value. This can be handled in various ways. For example, under the income approach, the discount rate may be increased to the extent that the subject company has weak or missing cybersecurity protocols. Alternatively, an expert may lower the subject company’s projected cash flows to reflect the elevated risk.
Under the market approach, it may be appropriate to adjust pricing multiples downward to reflect excessive cyber risks relative to the guideline companies. However, it may be difficult to evaluate the control environment of the guideline companies based on the limited information provided in guideline company databases.
When using the cost approach, a valuator might consider adjusting the market value of intangible assets, such as goodwill or intellectual property, for potential cyberthreats. Or the risk could be reflected in a contingent liability account on the adjusted balance sheet.
Cyber risks are among the biggest threats businesses face today. A valuation that fails to evaluate them and incorporate their impact into the conclusion of value is unlikely to withstand scrutiny.