In November, news broke that Tesco Bank had been hacked and that 20,000 customers fell victim to thefts from their balances. This was just one in a long line of recent high-profile cyber-attacks that also saw the likes of Yahoo!, LinkedIn and Ashley Madison suffer serious breaches.
When it comes to looking at the reasons behind cyber-attacks on businesses, currently the majority of breaches are from database assaults, whilst a smaller but still significant amount (around a quarter) are reportedly due to negligent employees or contractors. Yet these are only two of a number of methods by which hackers can gain entry. Motivations for the attacks can be equally varied, from morally or politically inspired hacks, as with the Ashley Madison breach, or, as is more common, for financial gain or competitive advantage.
According to a UK government report, intellectual property theft is the most damaging form of cyber-crime for businesses in the UK, reportedly costing an estimated £9.2 billion. It is easy to understand, therefore, why cyber-security companies are such hot targets for investment and acquisition. Cyber-security firm Cylance, for instance, recently completed a Series D funding round at a valuation rumoured to be near $1billion.
The effect of a hack on companies can be severe. The 2015 cyber-attack on TalkTalk, in which almost 157,000 customers’ bank details were accessed, reportedly cost the company £42 million and led to a loss of roughly 100,000 customers. Meanwhile, many commentators expect the 2016 Yahoo! attack to negatively impact the proposed $4.8 billion sale of its core business to Verizon. What’s more, the new EU Data Protection Regulation, set to come into force in 2018, empowers regulators to levy fines of up to 4 % of turnover, or €20 million, for each breach.
Yet, regulators are not the only ones watching, potential suitors are, too. For companies seeking investment, a sale or an initial public offering, the negative impact of a successful breach could apply downward pressure on valuations. Even for those companies not actively looking for a significant corporate event, a depressed valuation, and the impact on cash and forecasts, could bring aggressive suitors to the door.
As cyber-attacks become more frequent and more powerful, the sensitivity of potential purchasers to the risks has increased. Targets must expect greater scrutiny of previous breaches and the measures in place to defend against attacks. Whereas it is difficult to control the actions of employees and contractors, companies will not be easily forgiven for failing to implement appropriate cyber-security measures and compliance plans. Conversely, demonstrating that efforts have been made should help reduce the risk of regulator fines and civil action. Having to disclose inadequate policies as part of a due diligence exercise is a potentially damaging action that could be avoided. Similarly, a business’ timely and proportionate reaction to a data breach is essential to instil trust and confidence in customers and suitors alike.
Despite there being a lack of prescriptive standards to adhere to, some best practice tips promoted both by the UK Information Commissioner’s Office and security services include the following:
- Implementation of a risk management programme developed across the organisation.
- Appointment of a person or persons responsible for data and cyber compliance.
- Rolling out updated and enhanced training for all staff.
- Using reputable anti-virus software relevant to all business areas.
- Insisting that software updates are downloaded upon release.
- Ensuring all employees use strong/complex passwords.
- Automatic deletion/quarantining of suspicious emails.
- Being ready to quickly and effectively respond to reports of a breach.
This is a good starting point for identifying areas of vulnerability that hackers will exploit and also helps provide an insight as to the topics that should be investigated as part of a due diligence process. Of course, the next step is to have sufficient expertise available to assess the commercial and legal strength of the responses.
With the ever-expanding amount of non-physical, commercially sensitive information being stored virtually, combined with the frequency of hacks, the importance of cyber-security will only increase. All companies must ensure a robust security strategy is in place for the sake of their own day-to-day activities and for preserving company value. Nothing brings the strength of these systems into sharper focus than an attack or the probing questions of a sophisticated CTO, technology expert or lawyer as part of an audit or due diligence process.