Protecting Your Company’s Valuation
Businesspeople are often told that they need to improve their organization’s cybersecurity and cybercompliance in order to avoid costly consequences such as business interruptions, ransomware payments, and fines. And that’s true. Failure to aggressively mitigate these technology-related risks can result in significant short-term financial pain.
As important as these short-term motivations may be, however, it’s important not to neglect the potentially even more significant adverse impact security breaches and compliance violations can have on your business: reduced valuation.
In fact, protection of your organization’s valuation may be the single most important factor to consider when formulating your cybersecurity and cybercompliance strategy. Here’s why.
Doing the math
Valuation dwarfs earnings. It’s a simple mathematical fact. That’s because businesses are valued as a multiple of their earnings. So the true financial worth of a company isn’t based on how much cash came in last week or what the gross profit was last quarter. The worth of a company is what someone will pay for it. And that number is based on what someone thinks its valuation could be in the future.
Consider Amazon, for example. Amazon’s market capitalization grew to more than $5.7 billion in 2003 before it even reported its first profitable quarter. That’s because the company’s perceived value wasn’t limited to its profits or cash flow. Investors valued Amazon based on its growth, its skyrocketing share of a booming online etail market, the scalability of its business model, and the power of its brand.
And although he wasn’t the richest man in the world yet, at that point Jeff Bezos was already a multibillionaire.
This leads us to a second point. Valuation isn’t just key to understanding a company’s financial status. It’s also the most important metric for anyone with a personal stake in the business—particularly major investors and executives. After all, investors get in the game because they expect their shareholdings to be worth more when they sell than when they bought. So they measure executive performance by the growth in valuation.
Growth is therefore central to executive compensation—whether that growth is rewarded with a cash bonus, a higher salary, or actual shares in the company.
In other words, both the financial performance of a company and the personal wealth of its leadership are directly tied to valuation. Protect that valuation and everyone wins big. Fail to protect it and everyone loses big.
Putting valuation at risk
How does valuation relate to cybersecurity and cybercompliance? Simple. When a company experiences an adverse security or compliance event, its valuation suffers. And that adverse impact on its valuation can dwarf the adverse short-term impacts on its earnings—just as positive impacts on valuation dwarf positive moves in earnings.
Take MGM Resorts as an example. When MGM’s properties were crippled by a phishing attack in September 2023, observers estimated its week-long shutdown would cost the company upwards of $80 million. But the adverse impact on its share value in the first week of the crisis was more in the neighborhood of $1 billion.
That’s because investors weren’t just concerned about the short-term impacts of a business interruption. They also saw the failure of MGM’s security as a sign of bad management. They understood that customers who had bad experiences on MGM properties as a result of the hack might be lost forever. And those investors are probably right—because several customers have already initiated a class-action lawsuit claiming that MGM did not adequately protect them from the hack and did not properly inform them about how it was unfolding.
Most of all, investors are concerned about the overall impact of the hack on MGM’s brand, as well as the possible regulatory consequences of its failure to adequately safeguard its information assets.
Of course, unlike MGM Resorts, your company may not be worth billions. But the same principle applies. When you get hacked, you lose more than a few days of sales. And your costs can go way beyond an incident response fire-drill. You permanently lose customers. You do permanent damage to your brand. And you cast doubt on the competency of present management.
All of which can have a significant adverse long-term impact on your company’s valuation.
A strategic three-point solution
If you want to be an Amazon instead of an MGM, consider the following three steps:
Undertake an independent risk assessment. You can’t mitigate your business risks if don’t find out what they are. So before you do anything else, get someone to come in and evaluate your exposure to risk. That doesn’t just mean looking for holes in your security. It means putting any shortfalls in your security and compliance posture in the context of their potential impact on your business.
Shore up your shortfalls. Once you have a risk assessment in hand, you can begin implementing measures to address your issues—beginning with those that pose the greatest danger to your company’s value. Those measures may include anything from more diligently implementing multi-factor authentication (MFA) to better training your employees to resist phishing attempts. But make sure you implement the right measures in the right order based on your exposure to business risk.
Engage a true security and compliance leader. Technicians can get to-do-list tasks done—but only a true executive-level leader can design, rightsize, manage, and continuously improve an optimally effective, optimally resource-efficient cyberrisk mitigation strategy. And that’s what you need. You need to leverage your finite budget and human resources to achieve the greatest possible reduction in your exposure to both cybersecurity risks and the risks associated with cybercompliance failure.
Security and compliance are not merely IT issues. They’re executive-level/board issues—because they have a direct bearing on company performance and valuation. So make you approach them that way.
To learn more about how a virtual CSO can help you take a strategic approach to protecting your company’s valuation, reach out to vCSO Magazine’s editors or contact any of the vCSOs listed in our vCSO Directory.