We invited Alejandro Rivas, Director of Cyber Security & Forensic Technology at KPMG Spain, to write for our blog. Here we present his insights into cybersecurity and cyber risk challenges, as well as opportunities regarding investments and Mergers and Acquisitions (M&A).
Digital transformation is a reality that positively affects a broad range of organizational aspects. Its reach spreads from marketing channels and HR, across financial processes, to compliance. Digitalization also entails an important technological overhaul, exponentially increasing the interconnectivity between companies; and companies and consumers.
Unfortunately, greater interconnectivity also creates additional risks such as information theft and loss of services due to cyber-attacks. Eventually, these risks potentially lead to legal proceedings or regulatory fines. This is what we now collectively call “cyber risks.”
Today, cyber risks have affected governments and private companies in various ways. The attacks ranged from theft of databases and intellectual property to incidents affecting hotel electronic doors and Wi-Fi, online banking and interbank payment networks, etc.
The methods of attack employed by cybercriminals are truly impressive. Their capacity for innovation and adaptation is as advanced as that of the leading technology companies.
As a result of these criminal activities, thousands of people have been affected in one way or another. In the corporate world, very recently a CEO lost his job subsequent to a data breach report.
From Brussels to Washington, legislators, concerned with the proliferation of cyber-attacks, are demanding greater involvement from the Board and are enacting new legislation. The penalties are substantial. In the case of the General Data Protection Regulation (“GDPR”), they can reach as high as 4% of global revenue.
How does Cyber risk affect M&A transactions?
We see three distinct angles:
How do I protect my M&A or investment strategy from cyber espionage?
The M&A or investment strategy and any associated information, e.g. valuation models, must be handled so as to ensure confidentiality.
Although most companies with M&A activities understand this requirement, one can still find weaknesses such as failure to encrypt data and communications (email or telephone), or a lack of information access controls and mechanisms to detect security breaches.
How can I measure cyber risks on my M&A targets or investment portfolio?
At KPMG we have developed a unique cyber risk evaluation methodology, applicable to the Buy-side or Sell-side due diligence process, as well as on-going portfolio risk management activities. We apply traditional techniques based on interviews and documentation reviews in key areas: governance, operational model, architecture, detection and response capabilities.
The differentiating factor lies in the application of our proprietary cyber intelligence platform. Using this non-intrusive technique, we can investigate the Web at different levels, from the surface to deeper sources or so-called Darknets. Here is where we can see whether a Target’s confidential information is being sold by cybercriminals.
The combination of these two techniques, using a tech platform and a team of cybersecurity experts, enables us to correlate data from external and internal sources and provide more meaningful observations… with a quick turnaround.
What investment opportunities are there in the cybersecurity industry?
Without a doubt, cyber risks have fueled the security industry.
Significant R&D activities are being carried out with the involvement of government, the private sector, and academia, particularly in countries such as Israel where we see a large intellectual property marketplace. Europe, particularly Spain, is quickly catching up.
New technologies are being developed to tackle issues such as user access management more cost-efficiently through cloud-based solutions, or predicting fraud more effectively through machine learning algorithms.
We foresee exponential growth of the sector worldwide, augmented by interest among corporate investors, venture capital and private equity firms, as well as through IPOs.
Interested? Read here Madrid is hot!
Startups involved in Cyber risk
KPMG has also capitalized on this trend through strategic acquisitions of companies like Qubera Solutions, TRUSTEDQ, P3 and Zink Security.
The latter is, in fact, the company KPMG acquired in Spain and whose platform they now use across many different projects ranging from compromise assessments, VIP digital footprint, and as explained previously, pre and post-transaction cyber risk management activities.
Alejandro Rivas-Vásquez, Director at KPMG Spain, leads advisory and assurance services across the full life-cycle of cyber security and forensic technology programs. With experience in deals (pre- and post-transaction), he is responsible for “Cyber in M&A” services in Spain.