Making Cyber Risks Part of the Equation

BrandPost By Mike Skinner, Partner in Charge
Jun 01, 2017

M&A transactions must ensure adequate cyber security before closing the deal, or risk negative impact on valuation.rn

Headlines around hacking and data breaches have become a regular occurrence over the last few years. When a business loses the trust of its customers, that confidence can be nearly impossible to win back. Cyber security, or the lack thereof, can famously destroy existing companies, but could it also be killing future business deals?

The obvious example is Verizon’s potential acquisition of the deeply troubled Yahoo. Despite the flaws within the former tech behemoth, the deal seemed to be progressing forward nicely… until it was revealed that one billion Yahoo user accounts were compromised in 2013.

A key lesson learned from this untimely announcement: Buyers of any organization need to ensure that there is adequate cyber security in place before entering into an M&A discussion.

Understanding the costs of implementing adequate cyber security is crucial, as these costs far outweigh the risks associated with closing a transaction for which unknown vulnerabilities lie within the target’s network. Yahoo’s 2013 breach cost them $250 million of lost value. Verizon is lucky that news of the breach surfaced before they signed on the dotted line. Had it not, they would have realized a hard loss on their investment.

If buyers don’t take this very real threat seriously, there is a very large can of proverbial worms waiting to be opened over the next few years. Imagine a scenario in which company data is breached shortly after a successful merger, but the vulnerability existed prior to closing the deal. Who would be deemed responsible?

While traditional financial and operational due diligence remains important to the mergers and acquisition process, why don’t we see cyber security—the #3 risk facing CFOs in 2017—as a key aspect of the due diligence process? The protection of future organizational value should not be an afterthought, but treated with the respect it deserves. Risks to future value simply must be intensely evaluated.

So, what should you do? Here are my top pieces of advice for those entering an M&A deal:

  1. Leverage the use of independent third-parties throughout the negotiation process to avoid “cyber surprises” once the purchaser has the keys to the data center. Most due diligence review processes are in dire need of a digital makeover to reflect modern threats to business continuity. Ensure a cyber expert with the right expertise is on every due diligence team. 
  2. Identify and prioritize risk as the first line of defense in determining where you are now and how to move forward. Prudent planning and addressing cyber security via risk-based due diligence is critical to protecting the long-term value of an acquisition.
  3. Define responsibility for a post-acquisition breach caused by pre-acquisition decisions. When an attack occurs after a M&A (and it will), many have discovered the hard way that indemnity provisions do not provide the assumed protection . After three years of headline news around cyber-attacks and the ripple effect on M&A transactions, there shouldn’t be any surprises left on the table.

While ensuring due diligence around one of today’s top business risks seems logical, I’m surprised to see that (far) more often than not, cyber resilience is left as an unknown in M&A transactions. In today’s digital economy, this approach is destined cause new headlines about cyber induced decreases in valuations.