Jim Brown, Partner at Blick Rothenberg, said: “We complete financial due diligence for many clients as they either sell or acquire a business and in a high percentage of such reviews so far this year a phishing attack has led to five figure sums being paid to a bogus supplier. “Beyond direct financial loss, this raises questions about the processes and controls in place and could become a negotiating point to reduce the sales price or even lead to a deal collapsing altogether.”
The remarks come after the results of a recent cyber-crime survey of more than 1,200 businesses across the UK conducted by the British Chambers of Commerce were published, showing that 20% of the respondents had been the victim of a cyber attack in the last 12 months.
Brown said: “Cyber security breaches can have a devastating effect on a business. The often-quoted figure is that 60% of entities hit by cybercrime aren’t trading twelve months later. This reflects the fact that they are not ready to identify the threat, protect against it or respond from both an IT and communications perspective.
“Beyond potential investors, HMRC are also taking an interest. In a recent case, a client who had been subject to a VAT fraud had, with our help, their penalties suspended but subject to conditions that included strengthening the level of cyber security in the business.”
Sam Temple, Managing Director at cyber security consultancy JUMPSEC, said: “We are seeing an increasing number of incidents relating to invoice fraud and ransomware, the effects are often devastating to those companies involved.
“It is surprising that cyber security review has not been more closely linked with the due diligence process in M&As. We have conducted software reviews on behalf of acquiring businesses that have led to a six figure reduction on the final purchase price.”
He added: “Any young business will have to take risks, the problem they may have when it comes to cyber is that these businesses are unable to effectively quantify these risks and are therefore not equipped to make ‘risk intelligent’ decisions.”
Brown said: “The actions required are multi-faceted and not just the responsibility of the IT department. It would appear that many SMEs are not aware of the potential threat, let alone spending the recommended level of 10%+ of their IT budget on combatting it.”
“This has become such a significant issue that we are aware of private equity providers who are including cyber assessment as a part of their due diligence with a minimum acceptable level for companies in their portfolio. If this is not accepted by the owners and entrepreneurs in small and growing businesses, they may find that all their hard work was for naught and that the businesses fail.”