Yahoo is the latest example of how cyber security impacts a business. Not just in terms of threatened fines from regulators, loss of business and reputation, or hikes in insurance premiums, but in damaging exit value for shareholders.
So, if you are interested in future investment, mergers and acquisitions, or perhaps an exit of your business, then passing due diligence on cyber and information security is a must. Otherwise your final deal value might cost you a helluva lot more than a practical ISMS.
Verizon negotiated their acquisition of Yahoo for $4.8bn in the summer.
In October they were reviewing that deal after September’s breach disclosure affecting 500 million accounts.
On Wednesday last week, Yahoo revealed that 1bn user accounts had been compromised in a separate attack back in 2013, making it the largest of its kind in history.
What swiftly followed was a statement from Verizon stating it would “review the impact of this new development before reaching any final conclusions” about whether to proceed.
It’s not certain yet whether this latest attack will cost the deal but it has certainly seen Yahoo shares drop by 6% so it will undoubtedly call into question value and conditions of sale.
Of course, the Yahoo/Verizon numbers are huge but it is a good example of how breaches, and investigations by regulators on the appropriateness of your policies and processes, can affect more than the just the bottom line. Instantly culling your business value is no laughing matter.
This is not just a big scale business problem, it affects new business start-ups and those looking for growth or exit strategies.
For shareholders looking for additional investment, mergers or sale, a significant breach is bad news and is likely to have a material impact on interest and value.
There is no better time to consider implementing or improving an information security management system for all sorts of reasons. Ever more sophisticated cyber threats, changing regulations, stiffer fines, the competitive horizon and shareholder value.
It is no longer sufficient to simply describe an ISMS, but to demonstrate compliant policies and processes that are being effectively implemented and managed. If a breach should occur the investigating bodies will expect nothing less.
With 2017 just around the corner, and the countdown to GDPR, there will undoubtedly be many organisations considering information security and their strategy for the year ahead.