by Granville Triumph
In 2017, Verizon reduced its purchase price for Yahoo by $350 million, or 7 percent, after Yahoo disclosed data breaches that exposed at least 1 billion user accounts. Yahoo also agreed to assume 50 percent of the liability for investigation into the breaches. This event raised awareness of the impact of cyber threats on company valuations in M&A transactions.
So far, however, it hasn’t materially changed standard M&A practices. Despite greater awareness of the potential cost of cybersecurity issues, executives continue to focus on finances, operations, sales and legal when acquiring a company. When cybersecurity is addressed, it typically involves disclosures from the seller about past incidents and internal controls. Even if sellers are completely honest, they may not be aware of their security vulnerabilities or know that an attacker has infiltrated their IT environment.
As a result, cybersecurity issues are frequently discovered after the deal is closed. In a recent Forescout global survey of IT and business decision-makers, 65 percent of respondents said they wound up regretting an M&A deal due to cybersecurity issues. Cybersecurity concerns discovered after consummating the deal present costly risks that would have been factored into the negotiations or led to the deal’s dissolution.
More Cybersecurity Focus Needed
Due to the potential consequence of a security incident, undisclosed data breaches have become a deal-breaker for most companies. Nearly three-quarters (73 percent) of respondents agreed that their company’s M&A strategy does not allow for a deal with a company that has an undisclosed data breach. More than half (53 percent) reported that their organization had encountered a critical cybersecurity issue or incident during an M&A deal that put the deal into jeopardy.
The survey found that greater emphasis on cybersecurity risk is needed during the M&A process. In fact, 81 percent of respondents said they are putting more focus on an acquisition target’s cybersecurity posture than in the past, highlighting that this is a top priority.
However, proper cybersecurity evaluation takes time, and acquisitions often run on the fast track. Most M&A transactions involve midsize companies that are sold through an auction process. The seller engages an investment bank to create competition among potential bidders. This typically involves an accelerated process in which potential acquirers are given just a few weeks to go from initial valuation through due diligence, letters of intent, negotiation and definitive agreements.
In-House Expertise Often Lacking
Acquirers have a couple of opportunities to investigate the company’s cybersecurity posture, but are unable to do so in the given timeframe. Only 36 percent of respondents to the Forescout survey strongly agreed that their IT team was given adequate time to review a targets’ cybersecurity standards, processes and protocols before completing an acquisition.
What’s more, internal IT teams often lack the skills to conduct cybersecurity assessments. Among IT decision-makers, only 37 percent strongly agreed that their IT team has the skills necessary to conduct a cybersecurity assessment for an acquisition.
Due to the lack of resources, organizations should engage outside resources to complete a robust assessment. A third-party provider can also provide an objective perspective capable of identifying previously unknown cybersecurity gaps that put sensitive data, intellectual property and critical systems at risk.
Cybersecurity issues and incidents are placing a cloud over M&A transactions. Before completing an acquisition, companies should invest adequate time and resources to thoroughly evaluate the seller’s cybersecurity posture. Failure to do so could result in a costly mistake.