Businesses face increasingly sophisticated cybersecurity threats which expose them to costly operational disruptions and reputational damage. But advisers involved in the mergers and acquisitions process think these potential risks often are not scrutinized enough when dealmakers engage in due diligence.
At its most basic, due diligence in M&A is an investigation to uncover potential trouble that would damage the expected value of a transaction. Merrill Corporation facilitates due diligence in more than 5,000 projects a year, helping firms around the globe securely protect, share and collaborate on their most sensitive and confidential content through its industry-leading virtual data room, Merrill DataSite.
Advisers to dealmakers sense both buyers and sellers are neglecting an opportunity to avoid expensive pitfalls, and urge parties to be more exacting. “Given the operational, financial and reputational costs at stake, cybersecurity should join the ranks of other traditional due diligence inquiries in deal practice,” according to law firm Skadden, Arps, Slate, Meagher & Flom.
Yahoo’s discovery of two massive data breaches after Verizon Communications had agreed to buy the web portal’s operating business brought home the potential consequences of undiscovered cyber issues. The purchase price was reduced by $350 million to $4.48 billion, and the two companies agreed to share some legal and regulatory liabilities related to the two breaches, which involved as many as 1 billion email accounts.
Why is it crucial to understand the cybersecurity risks at a target company? Because buying a company “translates to buying data. And buying data means you are buying past, present, and future data security problems,” a report from the New York Stock Exchange aptly pointed out. “The economic impact of a transaction can shift dramatically if, after the deal is consummated, past or ongoing data breaches come to light,” the report added.
Prior to Yahoo’s disclosures and the haircut to its purchase price, surveys suggested executives had a relatively sanguine view of cyber risk due diligence. A report by Freshfields Bruckhaus Deringer LLP in 2014 indicated that while awareness of threats was rising, 78% of dealmakers polled believed cybersecurity wasn’t analyzed “at great depth or specifically quantified,” as part of M&A due diligence. Deal advisers say executives are more cognizant of cybersecurity issues but still aren’t as careful in the diligence undertaking as some might expect.
“Cybersecurity is a critical business function, yet, paradoxically, cyber risk is often insufficiently examined – or even overlooked,” during M&A due diligence, wrote Ricky White, a partner at accounting and consulting firm Ryan Sharkey, in a recent blog post.
Considering what is at stake, why does cyber risk due diligence often get a light touch? White says it’s often considered just one part of the larger IT puzzle, so it often lacks “robust diligence criteria” and technical expertise to assess risks. Other factors include scarce resources in a compressed diligence time frame, and examiners who tend to be more focused on the compliance side of cybersecurity rather than the assessment of actual risks, he added.
Risk consultancy Stroz Friedberg suggested that any adverse consequences from the current status quo assessment of a target’s cybersecurity posture haven’t been severe enough to make dealmakers more judicious. “It will take additional high-profile deals to be impacted negatively by cybersecurity issues before cyber due diligence in pre-deal negotiations is taken seriously,” the firm wrote on its blog.
Others, however, suggest that even a more rigorous due diligence effort won’t always uncover lurking cyber threats. Verizon executives have said that more due diligence might not have revealed the Yahoo data breaches. That means separate solutions are necessary, including warranties and other legal safeguards.
Meanwhile, deal advisers advocate the benefits of more transaction preparation for potential targets, along with more stringent cyber due diligence for both buyers and sellers.
Sellers “can ultimately maximize their sale price by examining their cybersecurity capabilities,” wrote Greg Bell, principal at KPMG’s Advisory Services Practice and service leader for the Information Protection practice, in a CIO article. “Demonstrating rigorous cybersecurity preparation is a sign of the company’s maturity and instills confidence in buyers – making the company more marketable and delivering more value to the buyer.”
Indeed, there are those who see companies stepping up to the challenges of a more complex due diligence process. A survey by law firm Morrison & Foerster last fall noted that concerns about potential liabilities are making buyers look more closely at targets. Eighty-two percent of those polled said that over the course of the year, they placed greater emphasis on the cybersecurity policies and practices at target companies.
As the list of prominent businesses suffering security breaches continues to grow, expect the potential damage from cyber threats to remain in the headlines, bolstering the argument for deeper pre-deal and pre-closing scrutiny in M&A. At the same time, expect companies executing M&A to also bank on warranties and other deal provisions to protect against future liabilities, expenses and reputational damage.