How RiskLens Can Help Uncover Material Cyber Risks in a Merger

“Wall Street Is expecting an M&A Explosion This Year” –Business Insider

“Tax Cuts Fuel Biggest Merger Spree Since 2000” –The Wall Street Journal

Whether it’s the tax cuts or optimism about the economy or piles of cash on hand, it is likely that this is the year many more companies will confront firsthand the hard truth that cyber risk = merger risk.

The infamous case in point: The discovery during Verizon’s acquisition of Yahoo! in 2017 of the massive data breach of Yahoo! user accounts, resulting in a $350 million price reduction – in effect, Verizon’s revised estimate of the risk (of legal judgments, for instance) it was taking on with Yahoo! And in fact, Yahoo! investors recently won an $80 million court settlement.

So proactive cyber due diligence has become a must-do, especially in deals where the key assets are customer data or intellectual property. Typically, that includes evaluating the company’s “first line of defense” by running penetration testing or checking compliance with best practices standards. But more sophisticated acquirers also run a thorough analysis that puts a price tag on cyber risk.

RiskLens can help. The RiskLens application was built to estimate the financial costs of cyber risk, and just as important, the FAIR model (that’s Factor Analysis of Information Risk) that powers RiskLens provides a roadmap for the difficult tasks of data gathering in merger due diligence.

Let’s take an analysis of the target company’s Top 10 cyber risks as the starting point. The FAIR approach is, first of all, a structured way for analysts to interview experts from around the company – not just in IT, but finance, legal, HR – to uncover…

  • What are the key assets, where are they located, how are they protected, and how does the company value them?
  • What are the threats that might cause losses, based on the company’s experience (competitors stealing intellectual property? employees accidentally emailing confidential data?)
  • What are the potential types of loss? Release of confidential customer information? Destruction of data? Website outage?
  • Based on past experience and how the landscape is evolving, what are the most likely loss events and their probabilities?  To get at costs, RiskLens analysts develop loss tables based on the company’s own data combined with industry-standard data.

With accurate data on the company’s top risks in hand, analysts can run the numbers through the RiskLens application’s Monte Carlo engine. The result is a distribution, a curve showing a range of probable loss in dollars for each risk or all top risks aggregated.

As a decision tool in a merger, where complete visibility into the target company is tough to achieve, this output has some big advantages:

  • It combines company data with industry data to fill out as good a picture as possible of the target company’s risk, both current and post-merger. The Six Forms of Loss (covering response costs, legal costs, etc.), a guided analysis embedded in the RiskLens tool, gives a structured way to estimate the impact of future loss events, a factor to figure in the valuation of the target company.
  • It puts some context around first-line-of-defense investigation; in other words, how important are any vulnerabilities uncovered, really?
  • It’s solid documentation for regulators or shareholders who might challenge the deal.
  • Most importantly, it shows a range of probable risk in dollars that the acquiring company can compare to its risk appetite, in deciding how to value the acquisition, ask for remediation of problems or just take a walk.


The Yahoo! Effect – Cyber Risk Is Killing Merger Deals