As security increasingly becomes a boardroom issue, cyber risks should be a focal point in M&A talks. Industry experts share insights into why conducting a cybersecurity due diligence is necessary before signing on the dotted line.
In September last year, Colorado Timberline, an American printing company that worked in the promotions industry, posted a message on its website to say that it had ceased operations following a ransomware attack.
The abrupt closure was not just bad news for the dozens of people who worked there – it was also a disappointing outcome for two private equity firms that, in 2017, had bought Colorado Timberline. A promising investment had quickly turned sour.
There have been numerous high-profile examples of cyber breaches that came to light only after an acquisition. Among them is the leak involving 1.4 million users revealed after TripAdvisor had spent $200 million buying Viator in 2014. TripAdvisor’s share price suffered as a result.
Such unfortunate cases illustrate the cyber risks associated with mergers and acquisitions, and bring to the fore the importance of cybersecurity due diligence, which involves carrying out a comprehensive audit of the cybersecurity status of a target company.
“It’s only been within the last three to five years that cybersecurity has become a fundamental part of the diligence process,” says Steven Chabinsky, a Washington, DC-based partner with the law firm White and Case.
“The rationale is a growing understanding of the impact of cybersecurity for the protection of financial business interests, combined with a growing reliance on technology by companies as part of their value.”
There are multiple reasons why cybersecurity due diligence could be considered. A key factor is the protection of the potential acquisition’s intellectual property rights (IPR).
“If the main driver of the acquisition is the IPR, cybersecurity due diligence is vital in ensuring that the buying company doesn’t walk out of the door,” says cybersecurity specialist James Arthur, who recently returned to work in the UK as head of cyber consulting for Grant Thornton after a five-year spell based in Dubai.
Another issue is ensuring that the potential acquisition complies with privacy legislation, such as that associated with data protection.
Without appropriate cybersecurity, it is not possible to have compliance with data protection laws, says Chabinsky.
“As data privacy protections have become more important as a business differentiator and as regulators have increased their focus on the protection of consumer and employee data, and have enhanced the fines in the event of non-compliance, cyber due diligence is increasingly becoming pertinent among businesses,” he says.
Chabinsky highlights a third reason why a cybersecurity audit is important: to ensure that there are adequate financial controls in place. A company must be able to protect its accounting systems to ensure their accuracy, and to avoid potential litigation and regulatory fines.
The pervasiveness of digital technology is a fourth reason for a comprehensive cybersecurity audit.
“It’s easy for people to understand that traditional technology companies require cybersecurity diligence, but people have only recently realized that companies we don’t traditionally view as technology companies are increasingly dependent on technology, and the cybersecurity needed to protect it, for manufacturing all of their products, communicating with their customers, and delivering their services,” says Chabinsky.
Sometimes during diligence, cybersecurity technical audits are conducted by people with a mix of technology and risk-management backgrounds. Simultaneously, commercial specialists many consider the potential impact of weaknesses on valuation, while legal experts explore regulatory and contract compliance gaps.
Chabinsky says that it is ideal if cybersecurity and data privacy are considered together by the same team during the due diligence process. However, if intellectual property, privacy and cybersecurity are looked at simultaneously by the same diligence experts, which they often were in the past, it will expand the role of those specialists.
The audit will aim to determine not just whether a company has been compromised in the past, but whether there are current, active threats.
As well as penetration testing to check cyber defences, Arthur says the process will typically include a “paper trawl” that looks at what information may have been breached. Searches on the dark web or deep web may also be carried out to see if the target company is being talked about in closed forums.
Cybersecurity auditors will, says Arthur, try to gather information from the organisation itself and conduct a thorough threat hunt within the network.
More cybersecurity-aware companies may be better able to disclose vulnerabilities. Experts say that those without formal procedures in place, and that have not yet fallen victim in a significant way, may understand less about the threats.
In the five years that Arthur was based in the UAE, he carried out cybersecurity work across the GCC and elsewhere in the Middle East. From his experience, the importance of cybersecurity due diligence is increasingly being recognised in the region.
“It is slowly but surely becoming a top priority for organisations,” he says.
So, in the years to come, we can expect more businesses to be thinking about cybersecurity due diligence to ensure that there are no nasty surprises after they have opened their wallets for an acquisition.
When a cybersecurity audit highlights problems in a company, there are several options open to the potential purchaser of that firm.
One is simply to back out of the deal, although Steven Chabinsky, of the law firm White and Case, says that cybersecurity issues alone are “very rarely” the reason why a potential merger or acquisition falls through.
They are sometimes found among myriad problems. If things are in “such disarray” on the cyber side, it can suggest management failures, says Chabinsky, and these could be a reason why the acquisition should not proceed.
“Often when that’s true, other specialist teams, they’re seeing the same thing,” he says.
James Arthur of Grant Thornton says that, if something as serious as an intellectual property leak has been highlighted, the acquiring partner may reconsider a deal.
Aside from scrapping a deal, another outcome is that the transaction is delayed while problems the audit identified are remedied.
“The third, more likely [outcome is that] the company doing the acquiring say this could alter the price, or they make some other demand,” says Chabinsky.
The cost of remedying the problem, and potential future liabilities, will be taken into account when the price of the acquisition is determined.
Consequences can be significant: Verizon Communications reduced the price it paid for Yahoo by $350 million, and split future costs and liabilities, when two data breaches came to light.
“I think that lawyers are increasingly finding themselves in a position to help sellers understand how the cybersecurity programme and resulting gaps might impact a deal, and what they should be putting in place prior to going to market,” says Chabinsky.
Security problems may increase the costs associated with integrating or deploying technology after an acquisition, and these may affect the purchase price.
A common outcome is that the purchasing company has a plan in place to remedy issues immediately after the acquisition is closed.