For small and medium business owners thinking of selling, the recent increases in Capital Gains Tax (CGT) announced in the Budget present new challenges.
According to Ed Bartlett, CEO of leading compliance provider Hicomply, one of the most significant risks to evaluating a business during due diligence lies in cybersecurity and compliance standards.
“Cybersecurity and compliance have become critical to maintaining and maximizing business value,” explains Bartlett. “Buyers and investors are now more cautious than ever, and poor security management or a lack of certifications like ISO 27001 can significantly erode value or even derail deals altogether.”
With a tightening deal landscape, SME owners must be proactive in addressing cybersecurity risks, which are increasingly being examined as part of due diligence processes. Investors are no longer satisfied with the remediation of cybersecurity vulnerabilities after the deal; These concerns are now crucial to deals.
Cybersecurity: The hidden deal
Cybersecurity vulnerabilities can have far-reaching implications for valuation, especially in sectors such as technology, finance, healthcare and retail. The average cost of a cyber attack on a UK SME is around £75,000, with higher risks in higher value sectors.
Industry-specific cyber attack costs according to IBM’s 2023 Cost of a Data Breach Report:
- Finance and insurance: over £4 million per incident.
- Healthcare: about £3.2 million.
- Retail and e-commerce: approximately £2 million.
- Technology and software: approximately £2.5 million per breach.
Bartlett warns that such violations not only affect profitability and operations, but they also tarnish a company’s reputation, making it less attractive to potential buyers.
“Investors view neglecting cybersecurity as a liability,” Bartlett notes. “Private equity firms and commercial buyers alike have become increasingly unwilling to overlook security deficiencies. For some, this has become a criterion for completing a deal.
Certificates to enhance evaluation
Meeting recognized standards such as ISO 27001 or Cyber Essentials can significantly enhance business evaluations. Research indicates that ISO-certified companies often receive ratings 10-20% higher than their non-certified counterparts, reflecting the trust these certifications inspire among buyers.
“Cybersecurity is not just about protection; it is about demonstrating resilience and preparedness,” Bartlett emphasizes. “Companies that proactively obtain these certifications send a clear signal of their commitment to strong security practices, streamline the due diligence process and attract outstanding reviews.”
Steps to preserve value
To help SME owners prepare for sale, Bartlett advises the following:
- Conduct cybersecurity audits: Find out vulnerabilities before potential buyers do.
- Obtaining ISO certification: Demonstrating internationally recognized security practices.
- Adopting Internet Essentials: Creating essential protections for small budgets.
- Staff training: reduce risks caused by human error.
- Enhancing physical security: Strengthening access controls to critical IT systems.
- Consult the experts: Tailor your cybersecurity strategy to the needs of businesses and investors.
Adapting to the new tax landscape
In the post-CGT era, cybersecurity and compliance have shifted from operational concerns to strategic imperatives. For SME owners who are planning to sell, investing in these areas is not only advisable; it is necessary.
“The risks have gone up,” Bartlett concludes. “To maintain and enhance value, companies must adapt quickly to meet the growing expectations of today’s buyers and investors. Cybersecurity and compliance are no longer optional, they are critical.