What cyber-attacks mean for valuations
March 26, 2024
Often a risk to value, but sometimes an opportunity
We have all read about the malicious cyber-attack on the Electoral Commission. Were you aware that the UK Government currently believes that the threat of a terrorist attack is substantial, which means an attack is likely? The immediate instinct is to think of a terror attack as something physical, but of course hostile actors see the opportunity in cyber-attacks.
This is always an area we look at when conducting a valuation. Is the company particularly exposed to a cyber-attack? Does it have cyber insurance, but perhaps more importantly does the cover enable the company to get back up and running before the customers or suppliers drift away?
Quantifying the impact of a cyber-attack is possible so that the valuation can reflect the situation. If a cyber-attack takes down a non-transactional website, that may not be a big issues, but if it turns off every installed machine that could be a significant problem. And that’s before issues such as ransom ware or theft of IP or money.
As a starting point you can find out how much appropriate cover would cost. If it is not in place, there would immediately be an impairment to the tune of the cost of the insurance for x periods, be that one year or more.
Where the risk is real, it is possible to understand how much needs to be invested to protect the company. That could be the value of contracts with experts who undertake penetration testing and more, or the equivalent cost of an in-house team whose job it is to mitigate the risk.
Does the company have a risk mitigation strategy in place? Are IT systems backed up? Is the disaster recovery plan solid?
Considering the insurance policy and what it actually covers matters. How and when claims will be met is critical to the avoidance of value destruction. As my colleague David Livesley pointed out when I discussed this email with him, there are also the intangible risks to value such as negative customer and employee perception of the company which causes behaviour change.
A fully protected company should not need to have an impairment for cyber-risk. The question always to be asked is can any company ever be fully protected such that there is not possibility of business interruption?
This may be a niche area, but in this digital world it should probably be given more prominence that historically would have been the case.
And when it come to matters digital it is not only cyber attacks that are the issue. What if a software upgrade does not work? Could company value be affected by employees’, customers’ or suppliers’ behaviour online?
There is no easy answer. Each company needs to be considered on a case-by-case basis. The good news is that it is possible to put a value on the risk.
And of course for companies offering protection from cyber threats to others, ironically, an enhanced risk of attacks increases the opportunity to do business and therefore create value!
