Headlines around hacking and data breaches have become a regular occurrence over the last few years. When a business loses the trust of its customers, it can be nearly impossible to win it back. Cybersecurity, or the lack thereof, can famously destroy existing companies, but could it also be killing future business deals?
The obvious example is Verizon’s potential acquisition of the deeply troubled Yahoo. Despite the flaws at the former tech behemoth, the deal seemed to be progressing forward nicely until it was revealed that one billion Yahoo users had their accounts compromised in 2013.
A key lesson learned from this untimely announcement is that buyers of any organization need to ensure that there is adequate cybersecurity in place before entering into an M&A discussion. Understanding the costs of implementing adequate cybersecurity is crucial, as these costs far outweigh the risks associated with closing a transaction where unknown vulnerabilities lie within the target's network. Yahoo's 2013 breach cost them $250 million of lost value. Verizon is lucky that news of the breach was released before they signed on the dotted line, or they would have realized a hard loss on their investment.
There is a large can of proverbial worms waiting to be opened over the next few years if buyers don’t take this very real threat seriously. Imagine a scenario where company data is breached shortly after a successful merger, but the vulnerability was around prior to closing the deal. Who would be deemed responsible?
While traditional financial and operational due diligence remains important to the mergers and acquisition process, why don't we see cybersecurity, the #3 risk facing CFOs in 2017, as a key aspect of the due diligence process? The protection of future organizational value should not be an afterthought, but treated with the respect it deserves and risks to future value must be intensely evaluated.
So, what should you do? Here are my top pieces of advice for those entering an M&A deal.
1. Leverage the use of independent third-parties throughout the negotiation process to avoid "cyber surprises" once the purchaser has the keys to the data center. Most due diligence review processes are in dire need of a digital makeover to reflect modern threats to business continuity. Ensure a cyber expert is on every due diligence team.
2. Identifying and prioritizing risk is the first line of defense that helps you understand where you are now and how to move forward. Prudent planning and addressing cybersecurity via risk-based due diligence is critical to protecting the long-term value of an acquisition.
3. Define responsibility for a post-acquisition breach caused by pre-acquisition decisions. When an attack occurs after a merger or acquisition (and it will), many have discovered the hard way that indemnity provisions do not provide the protection they assumed. After three years of headline news around cyber-attacks and the ripple effect on M&A transactions, there shouldn’t be any surprises left on the table.
While ensuring due diligence around one of today's top business risks seems logical, I'm surprised to see that (far) more often than not, cyber resilience is left as an unknown in M&A transactions. In today's digital economy, this approach is destined cause new headlines about cyber induced decreases in valuations.