Accurately pricing risk is the most daunting aspect of valuing an acquisition. Perhaps the most difficult risk to price is cybersecurity exposure. Luckily, getting your arms around cybersecurity risk has become easier.
Earlier this year, the AICPA released a market-driven Cybersecurity Risk Management Reporting Framework that can help an organization articulate their cybersecurity risk appetite and mitigation efforts. The AICPA also released a guide for firms performing cybersecurity risk examinations.
IF YOU ARE A BUYER
The Gold Standard
If you are acquiring an organization, and it is early in the process, build a requirement into the deal that the seller will obtain an independent Cybersecurity Risk Management Examination. This examination involves the following:
Management describes the organization’s cybersecurity risk management program and objectives
Management makes an assertion that cybersecurity controls are operating effectively to meet the organization’s cybersecurity objectives (if management can’t provide the assertion, the Cybersecurity Risk Management Examination cannot proceed)
An independent accounting firm will carry out procedures to review, test, and gather evidence related to the cybersecurity risk management program and its associated controls
If all goes well, the accounting firm will issue a report that, among other things, opines that controls were effective to achieve the organization’s cybersecurity objectives
Ok, this examination is a large undertaking and is not likely to be completed within deal’s timeframe.
The Next Best Thing
Rather than have the independent accounting firm test controls, there is a more limited review that addresses only the suitability of the design of the controls. Here the independent accounting firm does not opine whether controls were effective. This approach will significantly reduce the time required to complete an examination. It is generally referred to as a ‘Design-Only Examination’.
If There Is Not Sufficient Time For An Examination To Be Performed
As part of diligence, request that management provide a written description of their cybersecurity risk management program and objectives, and have them provide a written assertion that controls were effective to meet the program’s objectives. If management is unable or unwilling to provide this, a significant cybersecurity risk premium should be used to adjust the purchase price lower.
If Management Is Unwilling or Unable To Provide A Description and Assertion…
In some cases, management may be unwilling or unable to provide a description of their cybersecurity risk management program and objectives. If this is the case, the AICPA ‘s “Cybersecurity Risk Management Reporting Framework” and “Guide to Reporting on an Entity’s Risk Management Program and Controls” are excellent sources to use when performing diligence on a target’s cybersecurity program. It will help you identify specific areas of exposure, which will aid in pricing the associated risk. Use them as tools to augment your existing cybersecurity diligence.
As a buyer, you will be in a better negotiating position if your diligence is highly structured and follows an objective framework. It’s better to identify issues and price for them rather than find them after closing.
IF YOU ARE A SELLER
Strongly consider obtaining a Cybersecurity Risk Management Examination. This has three benefits. First, it will require you to assess your cybersecurity risk in a structured manner – something you will need to have during diligence. Second, it will allow you to identify and mitigate existing cybersecurity weaknesses. Third, it will enhance your negotiating position and likely drive your business valuation higher by eliminating a ‘cybersecurity risk premium’ a buyer would propose to adjust the purchase price lower.
DISCLOSURE: I am not licensed as a CPA in the state of Arizona and am not holding myself out as a CPA in Arizona. The information included in this article is for information only and does not constitute advice.