The Cybersecurity Dilemma: Incentives to Drive Change Rather than Reactive Response

Principal with extensive expertise in government affairs and large-scale change management.

During the recent Expert Voices panel which discussed the Cybersecurity Dilemma, we heard John Allen, CEO of Bluestone Capital Partners, talk about how most of the investment he sees today revolves around companies offering some sort of cyber product or service. However, in his experience and that of our other panelists, we learned that virtually no due diligence is typically done with respect to the state of cybersecurity of the acquired entity. Why the dichotomy?

Imagine an institutional investor acquiring a pharmaceutical company based on the prospects of a new drug coming to market. Imagine how the investor would react if the very next day after the deal closes a cyber attack occurs, and all of the intellectual property relating to the new drug is stolen. The share price tanks, and the value of the investment is lost—in one day.   

The risks of cybersecurity to the value of a company are that real and can carry that much impact, that quickly - whether you are a company wishing to maximize valuation in anticipation of acquisition or an investor wishing to secure a solid investment value for its purchase. So one would think that investors considering an acquisition, with their hoards of corporate attorneys and accountants performing due diligence into potential risks to valuation, would focus very heavily in this area. That is not happening. Why?

• The market is just not focused on the real threat of cyber attacks. Some companies are penetrated, and if they handle the incident well, their share price is unaffected. If companies were to take a consistent hit on their share price for not being prepared, we would start to see more attention to cybersecurity. I suspect we would see a similar effect if trade analysts were to consider cybersecurity as a factor when making investment recommendations.
• Companies do not yet compete on the basis of security. The corporate world is customer-driven – if customers see strength in cybersecurity as a determining factor in choosing suppliers, and suppliers see security as a competitive advantage, we would see a change in behavior.
• Companies do not yet feel the pain of regulation. Many believe that companies will not shift their focus until the pain of regulation is upon them, from legislative action or administrative requirements.