Cyber-security has become an increasing concern to M&A dealmakers recently.
Deliberate leaks and hacks have the potential to jeopardise, expose or stall the merger and acquisition process. Perhaps more importantly, by negatively affecting perceptions of accountability and reputation, they can even have an effect on the value of a deal.
A browse through the business pages over the past few months only highlights this concern, with several ongoing M&A processes impacted by cyber-security-related incidents.
Often the issue can be of a “gossipy” or reputational nature. Some months before Salesforce.com showed an interest in Twitter, for example, an email hack revealed a list of the cloud CRM provider's other potential M&A targets, none of which was Twitter. While most companies will possess such a list, very few will have had it made public in such a manner.
And cyber-security issues can have direct financial implications too. Take the example of US telecommunications giant Verizon's agreement to buy Yahoo!'s core internet business for US$4.8 billion (£3.6 billion) in July 2016. Following the revelation that Yahoo! had experienced the biggest recorded data breach, in which more than a billion accounts were compromised, Verizon demanded better terms before signing the deal.
Elsewhere, Australian telecommunications firm Telstra had to cover the costs of the damage suffered by Pacnet when its corporate IT network was compromised, weeks before the undersea cable company was acquired by Telstra.
Examples such as these demonstrate the importance for M&A practitioners of knowing the impact a significant data leak could have on the valuation of a target company, particularly if it results in buyers dropping out. It's increasingly clear that, as security threats and data privacy regulations continue to mount, organisations should do whatever is necessary to preserve the value of their deals.
A recent survey by Intralinks of 3,182 worldwide M&A dealmakers found that deal values could decrease significantly if the target company experienced data breaches. Around half of respondents (48 percent) believe bidders would be likely to reduce their valuation of a target by between five and 20 percent, and one in five (19 percent) believe that a bidder would walk away and no longer pursue the transaction.
According to the same survey, around a quarter of dealmakers (24 percent) expect more deals to fail over the next six months due to cyber-security issues than in the previous six.
A growing awareness of the threats to M&A processes, and the potential harm they could cause, has led to an increasing number of M&A practitioners now employing external cyber-security experts. These experts offer them peace of mind by evaluating the acquisition target's security measures as part of the due diligence process.
As a result, the due diligence process itself is changing, and is likely to continue to do so.
Digital due diligence
High-profile data breaches, as well as pending data privacy regulations such as the EU's General Data Protection Regulation (GDPR), which will impose higher financial penalties on data breaches, are set to significantly broaden the scope of M&A due diligence. Acquirers, and targets, will need to consider new “digital” or “cyber-security” due diligence, in addition to the traditional legal, financial, commercial, environmental and HR aspects of due diligence.
Indeed, the implementation of the GDPR is set to play a crucial role in enforcing a standardised level of cyber-security across the EU. If a target company doesn't have the appropriate technical and organisational measures in place to protect the personal information it holds, it risks being non-compliant and potentially subject to large financial penalties. It's important, therefore, for acquirers to carry out appropriate digital due diligence on the target, or else they could find themselves taking on a big additional risk.
How then, does an acquirer carry out digital due diligence? And what must advisors and corporate development teams be aware of as cyber-security continues to attract more scrutiny?
A buyer will want assurances that the target company has taken appropriate steps to protect confidential information against breaches, as well as complying with upcoming data privacy regulation. A cyber-security risk assessment will need to be conducted of the target who, to remain attractive, should make this process as easy as possible for the buyer.
With high-profile data breaches making the headlines on a regular basis, and with the GDPR's implementation imminent, it's time that a target's cyber-security readiness is now recognised as being a key aspect of any acquirer's due diligence process.
Contributed by Philip Whitchelo, VP, strategy & product marketing, Intralinks
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.