For SME business owners contemplating a sale, the recent Capital Gains Tax (CGT) increases announced in the Budget present new challenges.
According to Ed Bartlett, CEO of leading compliance provider Hicomply, one of the most significant risks to business valuation during due diligence lies in cybersecurity and compliance standards.
“Cybersecurity and compliance have become critical to preserving and maximising business value,” Bartlett explains. “Buyers and investors are now more cautious than ever, and poor security management or a lack of certifications like ISO 27001 can significantly erode value or even derail deals entirely.”
In a tightening deal landscape, SME owners must be proactive in addressing cybersecurity risks, which are increasingly scrutinised as part of due diligence processes. Investors are no longer content to address cybersecurity gaps post-transaction; these concerns are now deal-critical.
Cybersecurity: The hidden deal breaker
Cybersecurity lapses can have far-reaching impacts on valuation, especially in sectors like technology, finance, healthcare, and retail. The average cost of a cyberattack on SMEs in the UK is around £75,000, with even greater risks in high-value sectors.
Sector-Specific cyberattack costs according to IBM’s 2023 Cost of a Data Breach Report:
- Finance and insurance: Over £4 million per incident.
- Healthcare: Approximately £3.2 million.
- Retail and E-commerce: Around £2 million.
- Technology and software: Approximately £2.5 million per breach.
Bartlett warns that such breaches not only impact profitability and operations but also tarnish a company’s reputation, making it less appealing to potential buyers.
“Investors see cybersecurity negligence as a liability,” Bartlett notes. “Private Equity firms and trade buyers alike are increasingly unwilling to overlook security shortcomings. For some, it’s become a deal-closing criterion.”
Certifications to boost valuation
Meeting recognised standards like ISO 27001 or Cyber Essentials can significantly enhance business valuations. Research shows ISO-certified companies often command valuations 10-20% higher than non-certified counterparts, reflecting the trust these certifications inspire among buyers.
“Cybersecurity isn’t just about protection; it’s about demonstrating resilience and readiness,” Bartlett emphasises. “Businesses that proactively achieve these certifications send a clear signal of their commitment to robust security practices, streamlining the due diligence process and attracting premium valuations.”
Steps to safeguard value
To help SME owners prepare for sale, Bartlett advises:
- Conduct cybersecurity audits: Uncover vulnerabilities before potential buyers do.
- Pursue ISO certification: Demonstrate internationally recognised security practices.
- Adopt Cyber Essentials: Establish basic protections for smaller budgets.
- Train employees: Reduce risks from human error.
- Enhance physical security: Strengthen access controls to critical IT systems.
- Consult experts: Tailor your cybersecurity strategy to business and investor needs.
Adapting to the new tax landscape
In a post-CGT hike era, cybersecurity and compliance have shifted from operational concerns to strategic imperatives. For SME owners planning a sale, investing in these areas isn’t just advisable; it’s essential.
“The stakes have risen,” Bartlett concludes. “To preserve and enhance value, businesses must adapt quickly to meet the heightened expectations of today’s buyers and investors. Cybersecurity and compliance are no longer optional – they’re critical.”
