Case Study: The $20m save through Cyber M&A Due Diligence

- by -

Nick Ashton

Introduction

In today’s digital age, cybersecurity is paramount, especially during mergers and acquisitions (M&A). At NorthCap Cyber, a mould-breaking cybersecurity firm, recently undertook a critical project for a private equity house (PEH) involved in a high-stakes M&A deal. This case study explores how the team’s diligent assessment and strategic initiatives not only safeguarded the PEH’s interests but also saved them a staggering $20 million.

Context

The PEH was targeting a mid-sized tech company that hosted a global online platform that provided academic support to millions. The business was growing aggressively, but required significant investment to enable further growth and much-needed improvements to enable sustainability and expansion.

The value of this target business was mostly encapsulated within the intellectual property it had developed over the years. For the PEH, understanding the cyber maturity of the business, and how these critically important assets were being protected was paramount.

Client Challenges

The PEH was eyeing the acquisition of a mid-sized tech company. While the target company showed promising growth and profitability, the target company’s valuation was largely focused on it intellectual property (IP). The PEH was concerned about potential cybersecurity risks that could compromise the deal’s value. Their primary challenges included:

  • Limited Time: The client was introducing us into the due diligence process with just 1 week to go. Presenting us with the need to quickly provide our support without sacrificing on quality.
  • Asset Security: Verifying that the target company had secure hands around it’s most valuable assets to maintain its competitive edge.
  • Evaluating company-wide cyber maturity: Understanding the target company’s cybersecurity maturity against an appropriate framework that would highlight any gaps, inefficiencies, or substandard practices that could present a threat to growth or reputation.

Solutions Implemented

The team executed a comprehensive cybersecurity due diligence assessment to assess the target company from the outside-in and the inside-out, encompassing the following key steps:

Outside-in:

  • In-depth Vulnerability Assessment: Experts performed a thorough vulnerability assessment of the target company’s IT infrastructure. This included penetration testing, network security evaluations, and a review of software applications.

Inside-out:

  • Comprehensive Cybersecurity Maturity Assessment: The team quickly conducted workshops with critical stakeholders to assess the business against the bespoke NorthCap cybersecurity assessment framework, targeting the presence of both technical and non-technical controls across the business to identify any corrolate gaps in critical best practices that were increasing the exposure to cyber attacks.
  • Incident Response Evaluation: The team assessed the target’s incident response policies, procedures, and capabilities. This involved reviewing historical incident reports, incident response plans, and assessing the capabilities of staff and the tools at their disposal.
  • Risk Quantification and Reporting: The findings were quantified in financial terms, providing the PEH with a clear understanding of the potential risks and their impact on the acquisition’s value.

Outcomes Achieved

The cybersecurity due diligence assessment revealed significant vulnerabilities within the target company’s IT infrastructure, which included outdated software with known exploits, inadequate encryption practices, and insufficient incident response protocols. Chiefly among these issues was the discovery that the business had been storing all of it’s most valuable IP in a poorly protected shared file location which had been compromised 5 years ago and never changed. This meant that the IP that primarily warranted the then valuation, was in significant question. As the business had no ability to prove that it was the exclusive owner of that IP.

These findings had several critical outcomes:

  • Negotiation Leverage: Armed with the detailed report, the PEH renegotiated the acquisition terms, securing a ~$20 million reduction in the purchase price due to the identified risks.
  • Risk Mitigation Plan: The team provided a comprehensive risk mitigation plan, enabling the target company to address the identified vulnerabilities and improve their cybersecurity posture.
  • Enhanced Investment Value: By addressing the cybersecurity issues before finalizing the acquisition, the PEH not only saved money but also enhanced the long-term value of their investment.

Strategic Value and ROI

The strategic value of subject matter expertise in this M&A deal was immense. The project not only highlighted potential risks but also turned those risks into negotiation assets, directly translating into financial savings. The ROI on the cybersecurity measures was clear:

  • Cost Savings: ~$20 million saved on the acquisition price.
  • Future-proofing: Enhanced cybersecurity measures reduced the likelihood of future cyber incidents, protecting the PEH’s investment.
  • Regulatory Assurance: Ensuring compliance averted potential legal and financial penalties.

Samuel Brown, Managing Partner of NorthCap Cyber, emphasized the significance of strategic cybersecurity initiatives:

“When you’re about to acquire any company, it can often feel like exploring an unfamiliar house in the dark – you never know what’s lurking in the shadows and find yourself tripping over steps and hurting you feet on the dreaded ‘floor Lego’, leading to dead ends and avoidable pain.

Having an expert cyber partner like NorthCap is crucial. We slot in seemlessly with your normal M&A processes with the aim of uncovering hidden cyber risks. With this client, we flicked on a torch and showed them a fairly significant concern lurking in the shadows. As always, we talked them through the best path forwards and how to navigate this challenge.

It’s common to misunderstand, but our role isn’t just about ticking boxes; it’s about strategically protecting and enhancing value at every stage – and it’s tanglible value, as this example proves. With NorthCap, you get a clearer picture, avoid nasty surprises, and set the foundation for stronger, more secure investments.”

Conclusion

NorthCap Cyber’s successful programmes of investment due diligence for private equity houses exemplifies the critical role of cybersecurity in M&A due diligence. By identifying and addressing significant vulnerabilities, NorthCap Cyber protects their clients investments and set the stage for a more secure and profitable acquisition. This case study underscores the strategic value and high ROI of investing in robust cybersecurity measures during M&A transactions. If you work in M&A and want to understand the power of expert-led cyber assessments and governance, contact the NorthCap Cyber team here.

Ready to get started?