Conducting due diligence during the M&A process doesn’t just mean reviewing a target’s financial statements and operations. Not anymore, anyway. These days, in addition to performing financial, legal and operational due diligence, buyers need to scrutinize a potential acquisition’s data and IT networks and Cybersecurity practices.
Why? Look no further than the Yahoo/Verizon deal, where negotiations came to a screeching halt after Yahoo admitted that hundreds of millions of its user accounts had been hacked. Unfortunately, lax cybersecurity can affect a merger’s terms, valuation, postmerger integration — and, of course, simply kill the deal.
When a buyer acquires a company, it also acquires the target’s present and future data security issues. Given the potential costs and legal obligations this inheritance represents, you need to be careful about courting a seller with a history of cyberbreaches.
Many buyers already are. A 2016 NYSE survey of public company directors and officers found that more than half believe that data vulnerabilities would significantly lower the value of a potential target. About 85% agreed that major vulnerabilities in a seller’s software assets would “likely” or “very likely” affect their final purchase decision. In addition, 22% said they’d likely abandon a deal if the company suffered a high-profile data breach.
Into the Breach
The Yahoo deal is a perfect example of how a data breach can wreak havoc in an M&A deal negotiation. In June 2016, Verizon agreed to acquire Yahoo’s core Internet business for $4.8 billion. In the following months, Yahoo disclosed that it had been hacked in 2013 and 2014, affecting possibly 1.5 billion email accounts.
In response, Verizon extended the deal negotiation process and reduced its offer by $350 million. It also negotiated for Yahoo to share in current and postmerger legal responsibilities and costs associated with the breaches.
Under these circumstances, selling businesses shouldn’t be surprised when potential buyers express interest in the security of their data. Before even entering the M&A market, sellers should devise and implement a strong cybersecurity policy. Doing so includes performing regular audits and pinpointing system weaknesses. Sellers — particularly those that have been relatively lax about cybersecurity — may need to increase their IT security budgets.
Prospective buyers are likely to look for several things during the due diligence stage, including compliance with all applicable federal, state and international standards. For example, companies generally must report data breaches to customers within a certain timeframe.
If your business has suffered data breaches:
• Record and describe them in detail,
• Tally any past or outstanding legal obligations and related costs,
• Demonstrate how the breaches were successfully resolved, and
• Explain what steps you’ve taken since to prevent future hacking.
To reassure buyers that the same thing won’t happen again, consider engaging a third party to conduct a fresh IT audit. Your M&A advisor can help you find an appropriate expert.
Taking it Seriously
There’s no going back. Every company must take responsibility for protecting its data and networks from hacking. This pressure is even stronger if you hope to sell your business because, even if you don’t take IT security seriously, your buyer certainly will.