This blog is an English translation of an article published in Computerworld on April 7, 2023.

Danish version: Køb (eller sælg) ikke cyber-katten i sækken - Computerworld

The cyber risk is assessed very randomly from company to company. Some companies are far more careful than others, and there is currently no definitive standard for Due Diligence. So you, as a buyer, must make sure to include the risk you buy with in the price you want to pay for the company.

The housing market has come to a standstill.

The same applies to a certain extent in the market for buying and selling companies. It is a natural consequence of the economically uncertain times. The desire to invest is therefore far lower than normal.

But there will always be SMEs that need capital, and companies that need to be sold in connection with acquisitions, generational change or the like.

So if you are left with a little money at the bottom of the coffin, there will most likely be an opportunity to make a good deal.

So what is a good deal? In most people's eyes, a good deal is either a stable company with a profitable product or a startup with a good idea and huge potential.

In both cases, the company would naturally like to be slightly undervalued in the valuation.

Focus on growth

But now watch out!

An exciting product, a hungry market and a secure supply chain. What more could a buyer really want?

The IT criminals ask themselves the same thing. A real treat for a hacker is an SME, where the focus has been more on growth than on IT security.

An interesting target for hackers can concretely be a company where production and sales have been at full steam, so that you can present a healthy business - preferably with a low cost level. A company where IT security is very likely lagging behind digitalisation.

Today, the cyber risk is often the biggest risk.

A successful cyber attack can wreak so much havoc on a business and cost so much money that its value will drop drastically.

Therefore, the cyber risk should play a decisive role when you as an investor are looking for new investments. The cyber risk is of course not just a threat to the business being traded.

If, for example, you buy with a view to a merger, yes, then the two companies should preferably be at the same security level.

If they are not, the lowest level will be the one that applies to both companies, thus increasing the risk for both of them.

And this in turn has an impact on the companies you deliver to, which in the worst case scenario could risk 'contagion'.

There are a number of boring examples from the past where an attack that took place after the purchase was made and the merger was completed brought down both companies.

The cyber risk is assessed very randomly from company to company. Some companies are far more careful than others, and there is currently no definitive standard for Due Diligence.

One step ahead of the buyer

Today, when you want to prepare your company for sale, accounts and products are primarily looked at.

The cyber risk is assessed very randomly from company to company. Some companies are far more careful than others, and there is currently no definitive standard for Due Diligence.

So you, as a buyer, must make sure to include the risk you buy with in the price you want to pay for the company.

Conversely, there is no doubt that this will be where you, as a cyber-savvy buyer, can stick the knife in and push the price down.

Here, then, is actually an opportunity to, if not exactly increase the value of your company, at least avoid losing money.

The way is to carry out a cyber risk due diligence yourself, so that you can put yourself one step ahead of the buyer – and the hacker.

A few good pieces of advice here at the end for those of you who don't want to be caught selling the cat in the bag.

An effective cyber security due diligence should focus broadly so that it can provide an overview and an understanding of the overall level of security in the entire organization.

The analysis should be based on the guidelines from CIS, ISO27x, NIST and other recognized best-practice security standards.

It should take into account the company's sector in terms of criticality and expected risk.

The company's security situation is then finally assessed based on a combination of documentation, technical tests and interviews with representatives of the company's IT management.