The Bundesverband M&A’s digitalization working group is once again planning webcasts for 2021, with a focus on cybersecurity and software. The first event on March 25 kicked off with the central question of when and why cybersecurity is particularly important in the transaction context. The participants were Stefan Finkenzeller (PMG Projektraum Management GmbH), Stefan Marquart (INVENSITY) and Nadine Müller (EY). The discussion was moderated by Martin Kuegler (EY).
Stefan Finkenzeller, who was also CISO (Chief Information Security Officer) of a Landesbank before his current role, made the first important point: “In many transactions, cyber assessments are becoming increasingly important or even essential in the due diligence phase. Above all, there must be a fundamental understanding of the organization’s capabilities, how security has been handled in the past and how it is currently handled. This starts with the responsibility for security and ends with the so-called security controls, i.e. which specific technical measures have been implemented to protect the IT systems.
Stefan Marquart pointed out that increasingly complex products are being created in the manufacturing industry that are equipped with more and more hardware and software, so-called embedded systems. This requires complex strategies and test procedures; after all, the operation of the systems or products must be reliable. This also requires regular updates. If the coffee machine networked via the Internet of Things does not receive the software update on time and breaks down, this can be very annoying. If the autonomous vehicle is unable to receive updates, this could jeopardize the safety of its occupants.
Transactions are also increasingly focusing on data-centric business models. If personal data is also involved, a review of the technical and organizational measures is essential. According to Nadine Müller, the legislator leaves little room for maneuver. Above all, companies that process personal data on a large scale must do so in compliance with the GDPR. In the transaction context, there is also the fact that the turnover of the entire group of companies is the basis for calculating the penalty in the event of an infringement – and this can be very expensive in the event of a merger, even if only the much smaller part of the company is affected.
As a result, cybersecurity budgets are increasing, ranging from around USD 200 per employee per year in the retail sector to ten times that amount, i.e. USD 2,000 per employee, for banks. Large companies in the manufacturing industry in particular are now making extensive security measures a condition for their suppliers, and this is naturally also driving up budgets, says Stefan Marquart. On the other hand, the financial impact of a cyberattack that leads to production downtime is much greater. It is even more problematic if the resulting reputational damage leads to a loss of customers and therefore turnover.
There are many misunderstandings surrounding certifications and information security management systems such as ISO27001. ISO certification is fundamentally positive and, above all, creates a certain level of trust, according to all participants in the discussion. When it comes to the implementation of technical security measures, it makes much more sense to use the NIST framework (National Institute of Standards and Technology) as a guide.
As always, the upcoming dates will be announced under Events and via social media (LinkedIn). Planned topics include cyber insurance and source code reviews for software products in the context of transactions.
