When lack of risk assessment means less money

Over the course of several months, and during our discussions with various board members, ‘cyber security’ is often compared to an insurance policy, in that it is a requirement due to fear or compliance reasons.  Some directors argue that an improved cyber security position is not generating more money. However, we have endless examples to prove that quite the opposite is in fact true.

Each time we implement an Information Security Management System, some of the many controls we utilise are risk assessment and due diligence in vendor and customer management. We advise on the standard security clauses in contract and security assessment of vendors.

For example, in mid-February, Verizon bid for the acquisition of Yahoo at a reduced cost of up to $350 million. The price reduction was a direct result of two major security issues that Yahoo had experienced, namely a security breach of personal details of over one billion users. Verizon and Yahoo had to agree to split the cost of any legal liabilities resulting from the security breach. Yahoo have been criticised by many for its relaxed approach to cyber security. For example, as reported by Venafi Labs – 27% of Yahoo security certificates had not been reissued since 2015 – replacement of certificates should be a standard process after every major breach as we cannot guarantee the integrity of ongoing communication.

In this example we can see the importance of due diligence and risk assessment successfully completed by Verizon and, a great example of the neglect of same on Yahoo’s side, and the detrimental consequences as a result. According to a report issued by NYSE/Veracode about mergers and acquisitions –

“Three-quarters of respondents say a high-profile data breach at an acquisition target would have serious implications on the pending transaction.”

All Board of directors have a mammoth responsibility in M&A transactions, more so against a backdrop where the risks of Cyber Security breaches are continuously on the rise. Cyber security is not something that you need merely due to fear or compliance. It is an integral and vital element which needs to become a part of every Board agenda.