With the increasing reliance on technology, organisations realise that effective cybersecurity measures are not only essential for protecting sensitive data, but also for creating value and maintaining a competitive advantage in the market. For parties involved in a transaction, it is especially important to assess cybersecurity risks to enhance their value and opportunities for growth, according to PwC expert Angeli Hoekstra.
Cyber threats
Cyber threats come from various angles. Geopolitical situations play a role, where countries may want to disrupt specific infrastructure because they are at war with each other or want to involve other countries in that war. On the other hand, many organisations possess intellectual property that can be attractive to other organisations. A simpler form of cybercrime focuses on stealing money, breaching privacy, or extortion with stolen or encrypted data (ransomware). It does not require extensive knowledge to cause damage, and with Generative AI, it will become even easier and more prevalent. According to PwC's most recent CEO Survey, vulnerability to cyber risks is among the top 3 threats experienced by CEOs worldwide. Organisations can no longer get away with inadequate basic cyber hygiene.
Professionalising the cyber function through regulations
Furthermore, organisations will further professionalise their cyber function to comply with upcoming regulations such as DORA (Digital Operational Resilience Act), CRA (Cyber Resilience Act) and NIS2. Europe wants to protect its companies and citizens with a range of regulations. This security also lies in the safety of products and services; you need to know where they come from, if they are safe, what their impact is... Different classifications apply. For products and services that affect critical infrastructure, you must comply with more security measures. NIS2 also considers the impact on society and how to reduce potential risks.
Not just protection, but also value creation
Organisations that recognise the importance of cybersecurity and incorporate it into their overall business strategy can not only protect their assets but also create value by strengthening customer trust, driving digital transformation, complying with regulations, and gaining or increasing competitive advantage in the market. Cybersecurity and value creation are becoming increasingly integrated and can enhance value and growth opportunities, especially when organisations are involved in a transaction. On the other hand, poorly addressed cybersecurity risks can lead to value depreciation. Proactive policies to prevent this are therefore desirable.
Map your cyber risk profile
Complying with requirements starts with having control over your cybersecurity function. Medium to large companies will increasingly have a chief security officer or an IT/cybersecurity leader. Smaller companies will use solutions such as cybersecurity as a service or an IT manager who also focuses on security strategies. But in 2024, cybersecurity is not just about the purely defensive side anymore. Cybersecurity is becoming increasingly a strategic investment to create value.
To use cybersecurity as both a defensive and value-creating mechanism, it is wise for organisations to map their cyber risk profile. Start with a clear strategy and translate it into operational matters. The basic hygiene - such as email security, system protection, and a certain level of infrastructure monitoring - is usually present but often still isolated.
Recently, we conducted due diligence for a client who had experienced a ransomware attack. When we asked one of the leaders what his worst nightmare was, he replied, "being a victim of ransomware again." He had gone through the pain, invested heavily in operational security, but this answer showed that he still felt his organisation did not have control over the cyber function. Ransomware and other cyber-attacks are always a possibility; an organisation needs to prepare and be ready for swift response and smooth recovery, to minimise impact and downtime.
From strategy to operation
As an organisation, you need to work from a strategic to an operational layer of cybersecurity. So not just implementing security because everyone else is doing it, or having a log file just because you need to have one... Make sure everything aligns with an overall strategy and comes together in a cyber risk profile. Based on potential risk factors, assess how aware your organisation is of these risks. If you are not aware of them, you certainly do not manage them.
Identify threats and risks that they can cause and determine how much risk your organisation is willing to take. Based on that, adjust your control measures, and conduct a cost-benefit analysis to determine which (potentially costly) control measures you want to implement. Once you know what your cyber risks are, you can determine which controls you need to reduce those risks. You may already have existing controls such as email security and patch policies. Evaluate their effectiveness. Make a list of your controls, monitor them, and indicate whether you are satisfied with the mitigation role they have on these risks. This way, you will automatically see which issues you need to address and can prioritise and allocate budget for security programs and related projects. This is how you translate the strategic component of risk management into operational matters.
Be prepared for a ransomware attack
The readiness of organisations to respond to attacks is often limited as well. It is important for an organisation to map out and proactively search for potential threats in both its IT and OT systems, as well as hunt for cyber threats that may go unnoticed within a network ('threat hunting'). This way, you can identify as many threats as possible and strengthen your control measures. Some organisations may have documented response procedures, but they are more focused on the IT side. A playbook on how to respond to, for example, a ransomware attack is often missing. However, having a response capability is so important: how well prepared are you to detect an attack and respond appropriately if necessary? Do you have procedures in place and have you simulated how you will act?
During a crisis, it is all chaos, so it is better to be prepared. Appoint someone who knows how to restore systems, make backups, test these regularly and use a good backup strategy, which is no longer simple in multi-cloud/on-premise environments. Train your employees moreover, and invest so that you can minimise downtime, minimise data theft, and prevent loss of value with a quick response. A well-prepared organisation will respond and recover faster, leading to lower impact and downtime.
Pay attention to processes, technology, and people
Keep in mind that security and cybersecurity are continuous activities. They are a permanent part of your business operations, involving processes, technology, and people. Do not underestimate the importance of the 'people' factor. It is tempting to focus on technology and think that buying an expensive, super-intelligent firewall and relying on AI to define patterns will solve everything. But if your employees do not understand why they need to use multi-factor authentication, why they should not click on certain links, or why they should report phishing attempts, they can be a real threat to your security. You are only as strong as your weakest link. Insider risks - threats that come from within the organisation - are significant cyber risks. It is not surprising that some organisations adopt zero-trust architecture or zero-trust solutions, which assume that everyone - both humans and devices - is a risk.
Make cybersecurity part of your daily operations, in your procedures, in training and educating your employees. The way you train your employees, the way you use your systems, and the way you handle information all have a direct impact on your cyber risk profile. Also, consider the entire product or service lifecycle and think about how to incorporate cybersecurity at each stage. It is not just about creating a secure product or service, but also about ensuring its ongoing security with regular updates to prevent or address new vulnerabilities. When making business decisions, always consider the implications for cybersecurity.
Effective risk management and understanding the business impact
Effective risk management and understanding the business impact of cyber risks are key. A risk management plan ensures you know what the key areas are to prioritise and where the resources should be first allocated. It will never be one hundred per cent foolproof - that is simply not possible - but it allows you to prioritise and make informed investments. When you have a clear understanding of your risks, you can make decisions based on that knowledge. Communication is also important. When everyone is aware of the risks, the likelihood of them occurring, the costs of mitigating them, and the potential damage they can cause, the organisation can make informed decisions. If something does happen, no one can claim ignorance. The risk was communicated, it was a conscious choice, and you can move forward from there.
Impact of cybersecurity on deals
Regulations such as DORA and NIS2 also have an impact on deals. As a buyer, you want to quickly assess what has already been addressed by the target company or what investments you need to make to bring everything up to standard. From the seller's perspective, reputation is important. How do we appear to an outsider? What can we do to improve our image? Cybersecurity programs and risk management require a significant amount of time. But if the seller needs to make improvements quickly, there are certain actions that can be taken to at least enhance the cyber risk profile in a brief period.
In private equity, you usually need to create the necessary value for sale within three to five years. For buyers, it is reassuring to know that a private equity firm has a cybersecurity framework that all organisations in its portfolio must follow. As a buyer, you still need to conduct due diligence, but having such a framework in place beforehand contributes to the reputation of the portfolio companies as quality products from a cybersecurity standpoint.
After a deal, it is important to ensure that during the integration of organisations - when two technology landscapes come together - there are no blind spots for which no one feels responsible. Avoid dead zones or gaps in the new organization's cyber risk profile. Address and improve the profile as needed.
In a market where technology not only supports all business functions but also enables new forms of business and provides competitive advantage, it is imperative to address cyber risk in a structural way. Understanding their cyber risk profile and managing associated cyber risk, allows organisations to prioritise and allocate resources where those are most needed. In a fast-developing cyber threat landscape, further enhanced by generative AI, geopolitical tensions, and upcoming regulation, ensuring the cyber security function is managed in alignment with business risk contributes to business resilience and business value protection. Additionally, the trust from the market, compliance with regulation and the readiness to safely adopt new technology for competitive advantage, provide opportunities for value creation.
Curious how we can help you?
Contact us
