skip to main content

Why Cybersecurity Is Critical to Your Deal's Success

Why Cybersecurity Is Critical to Your Deal's Success

Conducting due diligence during the M&A process doesn’t just mean reviewing a target’s financial statements and operations. Not anymore, anyway. These days, in addition to performing financial, legal and operational due diligence, buyers need to scrutinize a potential acquisition’s data and IT networks and Cybersecurity practices.
Why? Look no further than the Yahoo/Verizon deal, where negotiations came to a screeching halt after Yahoo admitted that hundreds of millions of its user accounts had been hacked. Unfortunately, lax cybersecurity can affect a merger’s terms, valuation, postmerger integration — and, of course, simply kill the deal.

Buyers Beware
When a buyer acquires a company, it also acquires the target’s present and future data security issues. Given the potential costs and legal obligations this inheritance represents, you need to be careful about courting a seller with a history of cyberbreaches.

Many buyers already are. A 2016 NYSE survey of public company directors and officers found that more than half believe that data vulnerabilities would significantly lower the value of a potential target. About 85% agreed that major vulnerabilities in a seller’s software assets would “likely” or “very likely” affect their final purchase decision. In addition, 22% said they’d likely abandon a deal if the company suffered a high-profile data breach.

Into the Breach
The Yahoo deal is a perfect example of how a data breach can wreak havoc in an M&A deal negotiation. In June 2016, Verizon agreed to acquire Yahoo’s core Internet business for $4.8 billion. In the following months, Yahoo disclosed that it had been hacked in 2013 and 2014, affecting possibly 1.5 billion email accounts.

In response, Verizon extended the deal negotiation process and reduced its offer by $350 million. It also negotiated for Yahoo to share in current and postmerger legal responsibilities and costs associated with the breaches.

Seller Strategies
Under these circumstances, selling businesses shouldn’t be surprised when potential buyers express interest in the security of their data. Before even entering the M&A market, sellers should devise and implement a strong cybersecurity policy. Doing so includes performing regular audits and pinpointing system weaknesses. Sellers — particularly those that have been relatively lax about cybersecurity — may need to increase their IT security budgets.

Prospective buyers are likely to look for several things during the due diligence stage, including compliance with all applicable federal, state and international standards. For example, companies generally must report data breaches to customers within a certain timeframe.

If your business has suffered data breaches:

• Record and describe them in detail,
• Tally any past or outstanding legal obligations and related costs,
• Demonstrate how the breaches were successfully resolved, and
• Explain what steps you’ve taken since to prevent future hacking.

To reassure buyers that the same thing won’t happen again, consider engaging a third party to conduct a fresh IT audit. Your M&A advisor can help you find an appropriate expert.

Taking it Seriously
There’s no going back. Every company must take responsibility for protecting its data and networks from hacking. This pressure is even stronger if you hope to sell your business because, even if you don’t take IT security seriously, your buyer certainly will.

Hide Firm Disclaimer


UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc., and its subsidiary entities. UHY Advisors, Inc.’s subsidiaries, including UHY Consulting, Inc., provide tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors” and “UHY Consulting”. UHY Advisors, Inc., and its subsidiary entities are not licensed CPA firms. UHY LLP, UHY Advisors, Inc. and UHY Consulting are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. “UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY LLP, UHY Advisors and/or UHY Consulting (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.

On this website, (i) the term "our firm", "we" and terms of similar import, denote the alternative practice structure conducted by UHY LLP and UHY Advisors, Inc. and its subsidiary entities, and (ii) the term "UHYI" denotes the UHY international network, in each case as more fully described in the preceding paragraph.