Cybersecurity due diligence is an important step in M&A transactions. Security gaps may lead to loss of intellectual property, customer information, business information, and/or other sensitive data that will negatively impact the valuation of a company before or after a merger or acquisition. It is important that all parties entering into a business arrangement verify the security integrity of each other’s systems.
One example of how security incidents have influenced M&A transaction is to review the Verizon acquisition of Yahoo in 2017. Yahoo disclosed 2 large data breaches during due diligence that resulted in Verizon reducing its offer by $350 million. Performing routine security assessments may have helped Yahoo mitigate these data breaches and save the business from a significant loss in valuation.
Another example of a security incident negatively affecting business transactions during due diligence was the 2017 deal between SoftBank and Uber. Uber had experienced a data breach that compromised 57 million customers in 2016 and failed to disclose this to SoftBank hoping to pay off the hackers so that they delete the data. When the breach was publicly announced, Uber was in the middle of negotiations with SoftBank for a 15% stake in the company. SoftBank decided to continue the transaction, but it reduced Uber's valuation by over $20 billion by the time the deal closed. Uber's reputation and credibility was also damaged by the way it handled this security incident.
One final example demonstrates the financial losses a company can experience as security incidents go unnoticed until after an acquisition. Starwood Group was acquired by Marriott in 2016 and within two years Marriott disclosed a massive data breach that compromised 500 million Starwood customers since 2014. In this example, Marriott discovered the breach post-acquisition in September 2018 and the disclosure cost Marriott $28 million so far with additional fines of over $124 million just surfacing as of July 2019. Had the security incidents been identified during due diligence by the parties, it may have lead to a significantly reduced valuation of Starwood.
From these examples, it’s apparent that cybersecurity due diligence during M&A transactions is very important to all parties. A good way to address these concerns begins with a third-party security risk assessment. These assessments will help identify IT assets that are vulnerable or compromised and attribute a risk rating to classify and prioritize these assets based on factors such as potential damages, ease of reproduction, attack sophistication and the scale of its impact to the organization.
The findings help organizations identify and mitigate the highest priority risks that could negatively influence an M&A transaction. Common recommendations may include investing in solutions that provide access control, network security, endpoint security, data encryption, and/or event monitoring to create a defense-in-depth approach to protecting those mission critical systems.
In this article, we demonstrated that cybersecurity due diligence is a very important step in parties engaged in an M&A transaction. We highlighted some examples of companies that were devalued during business conversations as a result of data breaches and companies that were fined heavily for acquiring businesses that had already been victims of a data breach.
By following good cyber hygiene and performing routine security testing, organizations can prevent security incidents from negatively influencing the valuation of their business during an M&A transaction and help all parties feel comfortable with the integrity of their business operations.
Thank you for reading this article and feel free to contact me if you need assistance building or advancing your security program.