Articles

SaaS Cybersecurity Due Diligence

February 28, 2020

Imagine that you have just signed an LOI for the acquisition of your company.  You, the CFO of a mid-sized SaaS company have spent the last 2-3 years getting your financials, your retention, CAC and other key metrics, in shape so you are offered an attractive valuation multiple.  Your investors are excited about seeing the return on their money.  Now comes the final due diligence, including a cybersecurity review.  You employ solid cybersecurity tools and procedures, so you think you are pretty safe.  But the financial or strategic acquirers do a thorough check, and they find:

  • Chinese forum chatter about the company’s financing, or
  • Over a hundred leaked company credentials from third-party breaches (LinkedIn, MySpace, Dropbox, etc) where your employees have reused their company email and password on a third-party site (an admin used their company credentials to log into Domino’s to order pizza for the company happy hour).

These are real and surprisingly common examples.

Cybersecurity Due Diligence

Cybersecurity due diligence has been a “good” idea for ten years.  Over the past 24 months, due to some high-profile acquisition disasters, it has become critical -- and standard.  In one case, an acquirer found out after acquisition that the IP of the acquired property had been stolen and was just coming to market in China, undermining the whole value of the acquisition.  In another, an acquiring company was left holding the bag when it came out that the acquired company’s customer data had been breached.

We’re safe because we aren’t big enough to rate the attention of hackers

Cybersecurity breaches for large corporations affecting millions of users like Target or Equifax get all the media attention.  But new research from RSM and a review of cybersecurity insurance data shows that 96% of cybersecurity insurance incidents filed with insurance companies currently are for small and mid-sized companies.

Because cybersecurity attacks are increasingly automated, it is easier and easier for hackers to go after thousands of companies at the same time at no extra cost or effort for them. In sales, there is a motto that it costs the same effort to sell a $100k deal as to sell a $10k contract (so why bother with the small contract?).   For hackers, the opposite is true.   The cost per hack of an SMB company is minimal and the number of SMB cyber events is growing by 10% year over year.

It costs the same to hack a million accounts at one time, and once in, there is usually less security to get at critical data.  By contrast, many very large corporations are regulated with better rules about consumer and private data management.  The effort to hack a very large company is manual and thus costly.  Large companies, even if breached, have layers and layers of firewalls protecting and segmenting important data, so the payoff is can be limited.

Cyber Insurance Stats

Cyber event types and costs are increasingly deviating for large versus small companies.   For large companies, it is less about stealing IP and often more about stealing consumer data.  For SMB companies, it can be about IP and legal payoffs, or a data breach.

The data is showing a divergence in the types of attacks in the same industry by size of target.  In other words, cyber insurance filings are showing that the type of attacks in one industry on the very large companies, will show very different types of attacks on the smaller companies in that industry.  Leading-edge SMB tech companies with unique data or IP will be more heavily targeted than older, large companies in the same industry.

And the data shows that the majority of large companies pay 25% of the costs per record than smaller companies, because larger companies tend to have made larger security investments upfront with better security preparation, so the relative cost hit is less than for a small company that may lose all its data or IP.  The equivalent incident in an SMB is 4X the cost on average than the same kind of incident in a large company.

Overall, though, total incident costs have been dropping for a few years.  Many cyber experts believe that we are in a calm before the storm, where the current hacking techniques are known, and more companies are implementing some sort of security procedures, so it is better than it was a few years ago.  The expectation, though,  is that it will get worse again, and most likely focus on attacking privacy.

Privacy Versus Data Security

Data security means that the data your company has is secure from outside, or unauthorized access.  Privacy is the issue of why the heck does your company have this data?  Norms and regulations around privacy are changing, led by the EC’s GDPR (click the link for a humorous take on GDPR) and spreading in the US, with California’s consumer data regulation which went into effect Jan. 2020.

What Does This Mean for SaaS Companies?

SaaS companies need to be super vigilant about cybersecurity and customer, prospect, and marketing data.  Cyber vigilance is critical for two key business reasons:1) SaaS companies are under increasing pressure from customers to show that the vendor is complying with all possible security and privacy regulations.  Customers want proof that their data is secure, not just in your system, but in any third-party systems that touch your data:

  • Think about all the SaaS services that you use: cloud-based customer engagement analytics, your cloud-based security app that tracks customer IP addresses, your CRM provider, your marketing provider with access to all your customer names and emails, etc.

2) Acquisition due diligence.  For companies preparing for an exit, it is always better to be prepared for anything that potential acquirers or investors might throw at you.  Acquirers want to know:

  • your security management, processes, and procedures, and
  • your security budget – can you document it?

Final Word

A hack is a statistical probability, there’s no hiding because you are a relatively small company.  The data shows that companies with the greatest preparation tend to have the lowest cost in the event of an incident.

Test yourself and be prepared.Many thanks to Daimon Geopfert, Principal, National Leader of Security and Privacy Risk Consulting, at RSM for sharing much of the above analysis.  Daimon does a lot due diligence work with PE firms and can be reached at  daimon.geopfert@rsmus.com.