Impact of Cybersecurity Risk on the Valuation of Businesses
If you own or are starting a business today, there is a new risk that you need to take into account in your business plan. Cybersecurity Risk.
What is Cybersecurity Risk?
Cybersecurity risk is the probability of a cyber attack or data breach on your organization. Organizations are becoming more vulnerable to cyber threats due to the increasing reliance on computers, networks, programs, social media and data globally. Data breaches, a common cyber attack, have massive negative business impact and often arise from insufficiently protected data.
While small business owners might think that cybersecurity risk applies only to larger enterprises, it is a big mistake to think that small businesses are not victims of cyber attacks as well. The internet has created a playing field where size does not matter. Small businesses are using technology everyday in completing their tasks, whether it is making a call on a smart phone or using e-mail. Many small business owners mistakenly believe that installing a firewall or using antivirus software is enough protection because their companies are small and do not have any "valuable" data. Cybersecurity breaches do not discriminate based on size. Cyber thieves look for opportunities. Small businesses are just as likely to have a cybersecurity breach as large ones-and they have far fewer resources to deal with one when it happens.
In today's world, cybersecurity (like accounting) is a business process that permeates every area of the business. Accounting is a part of the sales cycle; so is cybersecurity. Accounting is a part of the supply cycle; so is cybersecurity. Accounting is a part of the manufacturing process; so is cybersecurity. The point is simple. If a valuation professional gets a bad feeling about accounting, the value of the business is questioned. Likewise, if the valuation professional gets a bad feeling about the cybersecurity, the value should be affected.
It is not required that valuation professionals be cybersecurity experts. Valuation experts are smart enough to understand that a risk exists, and it should be quantified or excluded from the valuation scope.
If the costs to mitigate or correct the breach are minimal, then there is less of a problem. However, if those costs are substantial, then the reverse is true.
Cybersecurity, a Key Consideration of any Business Valuation
As you may know, Value is calculated by dividing Cash flow by the Risks inherent to the company. We know that risk affects valuation, but only recently has it been recognized that cybersecurity is a pervasive risk. Once insurance companies started selling cybersecurity insurance, any arguments to the contrary were dispelled. The fact that there is a burgeoning market for cybersecurity insurance is validation that cybersecurity is a real risk. It could be the subject of an entire article, but cybersecurity insurance is not a "get out of jail free card" for dealing with cyber risk. It is the last resort. In addition, cybersecurity insurance has many landmines of its own because it is a non-standard form policy.
In today’s world, most businesses are forced to operate on top of an IT infrastructure that is inherently insecure. Not every business must use this IT infrastructure to move and store sensitive data, but for most businesses, that is the reality. In today's world: The greater the dependence upon the IT infrastructure to operate the business, the greater the risk.
Business Valuation professionals should consider including cybersecurity due diligence as part of their valuation process. That due diligence provides: (a) a more accurate valuation of a business, (b) helps clients protect and increase the value of their businesses, for example. It also: (1) reduces the risk and liability associated with valuations that do not factor in cybersecurity, (2) helps increase the value of the Experts' practice, thus giving him/her a competitive edge.
Areas where cybersecurity risk could affect the valuation of a company are:
a- the discount rate through the company specific risk premium that is adjusted for cybersecurity risk
b- the cash flow that is adjusted to account for losses due to cybersecurity breaches
c- a direct adjustment to the value of the company
If a business cannot effectively defend its IT systems and data from attacks, then it is worth less than a business that can defend itself. It is the valuation professional's job to determine the impact of the cybersecurity risk on that business's valuation.
Target Breach, December 2013
In 2013, a cybersecurity breach of Target resulted in forty million credit cards plus an additional seventy million customer loyalty cards that were stolen. Target paid nineteen million dollars in fines and another $154 million in legal settlements. Their 2016 annual report said that total financial cost to the company was $292 million-less a $100 million cyber insurance payment.
The event occurred in 2013, and it is still not resolved; hard costs continue to accrue as of 2019. The stock price took a major hit immediately after the breach but has since recovered. This is because Target had major resources to respond to the challenge that a smaller enterprise would not have.
Verizon Purchase of Yahoo, 2013-2014
In 2013 – 2014 during Verizon's due diligence process in purchasing Yahoo, they accidentally discovered a breach of Yahoo’s systems. The personal data of 3 Billion account holders were exposed although no credit card info was exposed.
As a result of this breach, Verizon reduced the purchase price from $4.8 billion to $4.48 billion and demanded that Yahoo’s shareholders pay costs associated with remediation, loss of customers, business disruption, regulatory fines, legal costs, etc., and set monies on the side to cover retained liabilities associated with this breach.
The matter is still not resolved despite the sale that went through.
Recent Cybersecurity Breaches in the News
Capital One Breach
It was revealed that a hacker gained access to more than one-hundred million Capital One customers' accounts and credit card applications earlier this year. According to the bank and the US Department of Justice, the accused hacker, Paige Thompson, gained access to 140,000 Social Security numbers, one million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people's names, addresses, credit scores, credit limits, balances, and other information.
Equifax Security Breach Settlement
In the same month, Equifax, the credit rating company, announced a settlement agreement with regards to its data breach, which occurred in September 2017. One hundred forty-seven million consumers were affected. Hackers were able to get access to a multitude of consumer private information, including names, Social Security numbers, dates of birth, credit card numbers and even driver's license numbers.
During the investigation into the breach, Equifax admitted the company was informed in March that hackers could exploit a vulnerability in its system, but failed to install the necessary patches. As part of the settlement agreement, Equifax will also pay $175 million in civil penalties to states, and a $100 million fine to the Consumer Financial Protection Bureau.
Cybersecurity is here to stay as a risk to businesses, and they need to find a way to mitigate that risk to protect and increase the value of their investment. Cybersecurity may now have a material impact on business valuation. While it is not necessary to be a cybersecurity expert, it is critical for small business owners to preserve their biggest investment from external attacks that could potentially destroy them. For valuation Experts, the magnitude of this impact can be determined by addressing cybersecurity risk in the management interview, the development of the value, and the reporting of that value. Business valuation Experts and business owners should now factor in this increasing risk and act accordingly.
If you have any questions about this article please don't hesitate to contact me using the information below.
Achille Ekeu, MBA, CVA
President & CEO
The Washington Valuation Group (WVG)
Achille Ekeu is the President and CEO of The Washington Valuation Group (WVG). A small boutique firm located in the greater Washington Metropolitan area that focuses on the valuation of closely-held businesses for estate and gift tax, acquisition, sale, debt financing, start-ups, buy-sell agreements, divorce and partnerships disputes. He is an elected Board member of the National Association of Certified Valuators and Analysts (NACVA) and the elected State Chapter President of NACVA in Washington DC and Maryland.
Note: This article is based on an article published in the Value Examiner by Raymond Hutchins and Dave Miles, CPA, CVA, CGMA (July- August 2019) titled: Cybersecurity and Business Valuations: Increasing Value and Reducing Risk for Valuators.