Every company—large and small alike—now faces material risks related to data security and privacy concerns that need to be addressed when performing a business valuation. This is a challenging area for valuators because it is a complex issue and there is little guidance or empirical data to help quantify these risks. Fortunately, ideas and techniques are emerging to help pave the way to better understand and measure the impact of data security and cyber liability risks on the value of a business.
As stated in the recent article, “Assessing Cybersecurity Risk When Doing a Business Valuation,” from Business Valuation Update (BVU): Valuators should not make the mistake of assuming that, because a company is smaller, there are likely to be no, or few, cybersecurity, or cyber liability issues to be factored into its valuation. “Cybersecurity is a highly complex field that no appraiser or financial expert can reasonably be expected to master without extensive training and education,” says Charles Hoff, JD, MBA, founder and CEO of Data Security University. “The challenge for the valuation expert is to determine whether cybersecurity vulnerabilities exist which demands special attention in the appraisal or damages assignment.” Hoff has created a helpful cybersecurity checklist, below, for the guidance of valuators.
I. Organization Cyber Awareness and Governance (PEOPLE)
☐ Board level—cyber/audit committee
☐ Senior management team and threat sharing—CISO and CPO coordination with CEO, COO, CFO, CTO, and GC
☐ Incidence response team and tabletop exercises inclusive of data recovery
☐ Trusted advisors/consultants—security and insurance
☐ Extensive employee training and phishing simulation programs
☐ P2P encryption
☐ EMV (chip and PIN/signature)
☐ Complex passwords changed frequently, multifactor access authentication, antivirus software, firewalls, VPN, penetration and vulnerability scans, and internal security assessments
III. PROCESS (POLICIES)
☐ External and self-assessments
☐ DevSecOps: integrating security practices within the DevOps process. DevSecOps involves creating a “security as code” culture with ongoing, flexible collaboration between release engineers and security teams
☐ Employee handbook, e.g., use of IOT and mobile devices; lost or stolen devices
☐ Keeping up with security software patches and updates/not using unprotected legacy systems, e.g., Windows XP
☐ Insurance and incident response plan (IRP) (inclusive of consumer notification and credit monitoring/ID theft protection)
☐ Data loss prevention (recovery)
☐ Physical security protocol
☐ Compliance with security and privacy statutes
☐ Third-party/vendor compliance agreements/assessments
☐ Due diligence/agreement safeguards regarding cloud servers
Part I of the checklist, “Organization Cyber Awareness and Governance (PEOPLE),” advises the valuator making an appraisal to first go directly to the board level and C-suite in order to understand how seriously it takes cybersecurity. When it comes to cybersecurity insurance, the valuator should not only check that it is in place, but also determine the policy’s exemptions, exclusions, and other conditions to understand its possible effect on the valuation.
Part II of the checklist, “Technology,” shows the importance of knowing the difference between point-to-point (P2P) encryption and encryption. Another area to check is whether the business has tokenization for data at rest. “Tokenization is basically substituting a sensitive data element with a non-sensitive equivalent, known as a token,” Hoff explains. The valuator should also inquire into whether the business has adopted Europay, Mastercard, and Visa (EMV)—chip and signature in the U.S., chip and PIN in Europe—for authentication.
Part III of the checklist, “Processes (Policies),” singles out vendor agreements for special mention. “Be aware that those vendor agreements need to be scrutinized and there needs to be an assessment done for every third or fourth party to ensure that bad guys don’t get in through the back door,” he says. “That includes due diligence on the cloud provider.”
Data security and privacy should be considered an ongoing cost of doing business and treated as such in a valuation. The profession will need to develop guidance as to how to address it in order to ensure that a valuation has maximum reliability and credibility.
For access to this and other articles from top thought leaders in the profession, be sure to subscribe to BVU. And dive deeper into the world of data security with Hoff, alongside valuation practitioner Michael Blake (Brady Ware & Co.), in BVR’s briefing, “Cybersecurity in Business Valuation: Addressing the Impact of Data Breaches on Value,” and learn emerging ideas and techniques that are helping to pave the way to better understand and measure the impact of data security and cyber liability risks on the value of a business.