By Ed Bartlett, CEO, Hicomply
For SME business owners, the news of increased Capital Gains Tax (CGT) announced in the Budget certainly wasn’t a welcome change. With a flurry of headlines already scathing at the barriers it brings for entrepreneurial behaviour, M&A and investment in the UK.
CGT hikes will bring a new era of M&A. For those business owners considering sale, they need to be more tuned in than ever to the factors that will erode value when it comes to the due diligence process. One of the biggest factors to ‘value chipping’ or ‘value erosion’ lies in cybersecurity and compliance standards.
In today’s already challenging deal landscape, poor security management and the absence of ISO standards can be significant threats to maintaining a high business valuation, and buyers and investors are becoming increasingly cautious. To maximise the value of your business and prevent potential “value chipping,” SME owners must address cybersecurity and compliance standards early on in the race to sale.
Here, I explore how cybersecurity impacts valuations, the risks posed by insufficient measures, and why meeting ISO standards should be a priority.
Understanding the impact of poor cybersecurity on business valuation
The impact of poor cybersecurity in business valuation is especially in focus for software companies and other tech sectors where security resilience is key to product integrity. Investors, especially Private Equity (PE) firms and trade buyers are increasingly scrutinising cybersecurity during the due diligence process. For these investors, weak cyber measures and an absence of ISO certifications can signal a need for post-transaction work to be carried out, adding cost and reducing the business’s attractiveness and perceived value.
In recent years, PE firms often accounted for cyber resilience issues as part of their post-transaction strategy. However, given the surge in cyber-attacks targeting newly acquired firms, investors have had to rethink their approach. Attackers tend to target businesses newly under PE ownership, knowing that these firms tend to have deeper pockets. This trend is pushing investors to incorporate cyber resilience requirements into pre-deal evaluations, often making it a deal-closing criteria versus a post-deal adjustment.
For trade buyers in non-software or tech sectors, cybersecurity is often viewed alongside other compliance requirements, such as GDPR and environmental standards. However, when a target company has big cybersecurity issues or potential threats, it can translate into a direct value reduction, adjusting the valuation based on the cost of bringing the company up to an acceptable security level.
The growing cybersecurity threat to SMEs: who’s most at risk?
Cyber threats continue to increase, they are evolving thick and fast with the UK witnessing a huge rise in attacks on SMEs across sectors in 2024. Recent data suggests that sectors most vulnerable to cyber-attacks in the UK include:
- Finance and Insurance: With an average attack cost exceeding £4 million per incident, finance and insurance companies are prime targets.
- Healthcare: Highly sensitive data makes healthcare an ideal target, with average attack costs estimated at £3.2 million.
- Retail and E-commerce: Data theft is prevalent, and the average cost of an attack is around £2 million, particularly affecting online retailers with high volumes of customer data.
- Technology and Software: Software companies face high risks due to product vulnerabilities, with cyber-attacks costing an average of £2.5 million per breach.
For SMEs, the average cost of a cyberattack in the UK is around £75,000, a potentially devastating sum that could chip away at profitability, operational stability, and, ultimately, valuation.
The importance of cybersecurity standards and certifications
Meeting cybersecurity standards can offer substantial advantages and increase valuations for businesses considering a sale. ISO 27001, the international standard for information security for example, demonstrates a company’s commitment to data security and cyber risk management. By meeting this standard, businesses can quickly build investor confidence, reassure buyers during due diligence, showcase how they protect their customers and achieve higher valuations.
ISO-certified vs. non-certified companies: Research indicates that businesses that have implemented ISO standards typically see an increase in valuation between 10% and 20% compared to non-certified companies. By demonstrating robust standards and cybersecurity practices, these companies often pass due diligence with minimal issues. Companies without these standards are far more likely to face deal delays, value chipping, or even deals breaking down entirely.
Beyond ISO, the Cyber Essentials certification, a UK government-backed scheme, provides another layer of assurance, especially for SMEs. This certification, though less comprehensive than ISO 27001, establishes basic protection against common cyber threats, enhancing investor confidence and still potentially leading to higher valuations.
Avoiding the pitfalls: Cybersecurity as a due diligence deal breaker
As cybersecurity concerns climb the agenda for both PE and trade buyers, SME owners must recognise the increasing likelihood of a cyber-related deal breaker. Investors are very alert to the risks of inadequate cybersecurity, and many are actively seeking out businesses that have taken proactive steps to secure their systems and data. In this context, cyber negligence can significantly “chip” away at a company’s value.
For example, a software company with weak built-in security might be flagged during due diligence, especially if its product architecture has vulnerabilities. In such cases, PE firms might demand a discount equivalent to the cost of cybersecurity rectification, or worse, withdraw from the deal if the issue appears too complex or costly to fix. The impact of these deficiencies can extend beyond the immediate deal, tarnishing the company’s reputation and reducing its appeal to other potential buyers in the future too.
Proactive steps for SME owners preparing for sale
Given the potential financial and reputational costs of poor cybersecurity, Ed warns that SME owners should consider the following actions well in advance of putting their business on the market:
- Perform a cybersecurity audit: Work with a provider to get a comprehensive audit to reveal vulnerabilities in your IT infrastructure, giving you the chance to rectify issues before they’re flagged by potential buyers.
- Pursue ISO Certification: ISO 27001 certification signals to buyers that your business has implemented internationally recognised security practices, increasing trust and valuation.
- Implement Cyber Essentials: For businesses that may not have the resources to achieve ISO 27001 certification right now, Cyber Essentials provides basic protections against common threats and demonstrates a proactive approach to cybersecurity.
- Educate and train employees: Human error is often the weakest link in cybersecurity. Regularly train staff on best practices to reduce the risk of a security breach.
- Enhance physical security measures: Physical access controls are an often-overlooked element of cybersecurity. Limiting access to sensitive information and critical IT systems helps prevent breaches.
- Engage with a security standards expert: Consulting a specialist can provide tailored recommendations and assist in implementing a cybersecurity strategy that meets your business and customer needs and investor expectations.
Now is the time to protect your business value!
In a new tax landscape, it has never been more important for UK SME owners to maximise their business’s valuation. By focusing on cybersecurity and compliance, you can ensure that true value is preserved and even increased. Cybersecurity is continuously shifting from a post-transaction issue to a pre-deal necessity, and buyers are increasingly unwilling to overlook these shortcomings.
As the UK’s SME market prepares for increased CGT impacts, business owners must adapt by addressing cybersecurity risks now. The stakes have risen, and the path to a successful business sale now hinges on robust, investor-aligned security and compliance measures.
