Cybersecurity & compliance in the post-CGT Hike era

For SME business owners considering selling up, the recent increase in Capital Gains Tax (CGT) announced in the Budget brings new challenges.

According to Ed Bartlett, CEO of leading compliance provider Hicomply, one of the most significant risks to business valuation during due diligence lies in cybersecurity and compliance standards.

“Cybersecurity and compliance have become critical to maintaining and increasing business value,” explained Bartlett. “Consumers and investors are now more cautious than ever, and mismanagement of security or lack of certifications such as ISO 27001 can destroy significant value or disrupt deals altogether.”

In the strengthening context of the agreement, SME owners should be involved in dealing with cyber security risks, which are increasingly being considered as part of due diligence processes. Investors are no longer content to deal with cybersecurity gaps after work; these problems are now very serious.

Cybersecurity: The hidden divorce of the deal

Cybersecurity lapses can have far-reaching impacts on computing, especially in sectors such as technology, finance, healthcare, and retail. The average cost of a cyberattack on SMEs in the UK is estimated at £75,000, with risks even greater in higher value sectors.

Industry-specific cyberattack costs according to IBM’s 2023 Cost of Data Breach Report:

• Finance and insurance: Over £4 million per incident.
• Healthcare: About £3.2 million.
• Retail and E-commerce: Around £2 million.
• Technology and software: Around £2.5 million per breach.

Bartlett warns that such violations not only affect profits and operations but also tarnish the company’s reputation, making it unattractive to potential buyers.

“Investors see cybersecurity negligence as a liability,” Bartlett noted. “Private Equity firms and commercial clients alike are increasingly unwilling to overlook security flaws. For others, it has become a sign of closing the deal.”

Certificates of improvement in measurement

Conventionally recognized standards such as ISO 27001 or Cyber ​​Essentials can significantly improve business values. Research shows that ISO-certified companies typically command 10-20% higher valuations than their non-certified counterparts, reflecting the trust these certifications inspire among consumers.

“Cybersecurity is not just about protection; it’s about showing resilience and readiness,” Bartlett emphasized. “Businesses that consistently achieve these certifications send a clear signal of their commitment to strong safety practices, streamline the due diligence process and attract premium ratings.”

Measures to protect value

To help SME owners prepare for a sale, Bartlett advises:

1. Conduct a cybersecurity audit: Find vulnerabilities before consumers do.
2. Pursue ISO certification: Demonstrate internationally recognized safety practices.
3. Adopt Cyber ​​Essentials: Establish basic defenses on small budgets.
4. Train employees: Reduce the risk of human error.
5. Improve physical security: Tighten access controls to critical IT systems.
6. Connect with experts: Align your cybersecurity strategy with business and investor needs.

Getting used to the new tax situation

In the post-CGT era, cybersecurity and compliance have shifted from operational concerns to priorities. For SME owners planning to sell, investing in these areas is not only recommended; it is important.

“The numbers have grown,” Bartlett concluded. “To preserve and develop value, businesses must quickly adapt to meet the high expectations of today’s consumers and investors. Cybersecurity and compliance are no longer optional – they are imperative.”