A number of high-profile cybersecurity issues have emerged in mega M&A transactions over the past decade, which heightened concern among corporate executives.
In 2017, Yahoo reported three data breaches in its negotiations to sell its internet business to Verizon [Disclosure: Verizon Media is TechCrunch’s parent company]. As a result of the disclosures, Verizon then reduced its purchase price by $ 350 million, approximately 7% of the purchase price, with sellers assuming 50% of future liability for data breaches.
While the ramifications of cyber threats were clearly perceived by Yahoo shareholders and covered extensively on the news, it was an extraordinary occurrence that raised the eyebrows of M&A practitioners but did not fundamentally change standard M&A practices . However, given the high potential cost of cyber threats and the high frequency of incidents, acquirers need to find more comprehensive and appropriate ways to address these risks.
As cybersecurity conversations accelerate during an M&A process, today executives and M&A professionals will point to improved processes and outsourced services to identify and prevent security issues. Despite increased awareness among financial managers and an increased number of outsourced solutions to address cybersecurity threats, acquirers continue to report an increasing number of cybersecurity incidents on acquired goals, often after the goal has been achieved. Even so, acquirers continue to focus on finance, legal, sales, and operations, and typically view cybersecurity as an ancillary area.
While past or potential cyber threats are no longer ignored in the due diligence process, the fact that data breaches are still on the rise and can have negative financial repercussions that will be felt long after the contract is signed shows that the acquirers churn Need to further improve their approach and the fight against cyber threats.
The current lack of focus on cybersecurity issues can be partly attributed to the dynamics of the M&A market. Most midsize companies (which make up the nominal majority of M&A deals) are typically sold through an auction process in which the seller engages an investment bank to maximize value by encouraging competitive dynamics between interested bidders. In order to increase competitiveness, bankers will usually move a business process forward as quickly as possible. With tight time constraints, buyers are forced to prioritize their due diligence activities, as otherwise there is a risk of falling behind in a business process.
A typical business process for a private company is as follows:
- The selling company̵
- After the first review period, expressions of interest (IOI) are due from all interested bidders asking for the rating and business structure (cash, shares, etc.).
- After submitting the IOIs, the investment banker works with the sellers to select the best bidders. The most important criteria that are assessed include the rating as well as other considerations such as timing, closing security and credibility of the buyer to complete the transaction.
- Bidders selected to move forward are typically given four to six weeks after the IOI date to delve deeper into critical due diligence issues, review information in the seller’s data room, a management presentation, or Q&A with management of the target and conduct on-site visits. This is the first phase in which cybersecurity issues can be most efficiently addressed.
- The letter of intent is due when the bidders reconfirm the assessment and propose exclusivity periods during which one bidder is exclusively selected to complete their due diligence and close the deal.
- Once a LOI is signed, bidders typically have 30 to 60 days to finalize the negotiation of final agreements detailing all of the terms of an acquisition. At this stage, acquirers have another way to resolve cybersecurity issues, often using third-party resources. In doing so, considerable costs can be invested with the greater security that the exclusivity period offers. The degree to which third-party resources are focused on cybersecurity compared to other priorities varies widely. In general, however, cybersecurity is not a priority.
- Closing occurs simultaneously with the signing of final agreements. In other cases, post-signature closing is often based on regulatory approvals. In both cases, once a contract has been signed and all important terms and conditions have been determined, buyers can no longer unilaterally withdraw from a deal.
In such a process, acquirers must balance internal resources in order to thoroughly evaluate a goal and move fast enough to remain competitive. At the same time, the main decision-makers in an M&A transaction usually come from the areas of finance, legal, strategy or operations and rarely have meaningful IT or cybersecurity experience. Due to limited time and background in cybersecurity, M&A teams typically focus on more pressing transactional areas of the business process, including negotiating key business terms, analyzing business and market trends, accounting, debt financing and internal approvals. With only 2-3 months to evaluate a transaction before signing it, cybersecurity typically gets limited focus.
When assessing cybersecurity issues, they rely heavily on information from the seller about previous issues and internal controls in place. Of course, sellers can’t reveal what they don’t know, and most organizations are unaware of attackers who might already be on their networks or significant vulnerabilities they are unaware of. Unfortunately, this assessment is a one-sided conversation that is based on truthful and comprehensive information from salespeople and gives the expression a new meaning Reservation Emptor. It is therefore no coincidence that a recent Forescout survey of IT professionals found that 65% of respondents expressed buyer’s remorse over cybersecurity issues. Only 36% of respondents felt they had sufficient time to assess cybersecurity threats.
While most M&A processes typically do not prioritize cybersecurity, M&A processes often focus directly on cybersecurity issues when known issues arise during or before an M&A process. In the case of Verizon’s acquisition of Yahoo, the disclosure of three serious data breaches resulted in a significant reduction in the purchase price as well as changes to key terms, including the provision that the seller would bear half the cost of future liabilities from such data breaches. In April 2019, Verizon and the unacquired portion of Yahoo would split a $ 117 million severance payment for the data breach. In a more recent example, Asco has been taken over by Spirit AeroSystems since 2018. The closure was delayed mainly due to a ransomware attack on Asco. In June 2019, Asco experienced a ransomware attack that forced the temporary closure of factories and ultimately resulted in a 25% reduction in the purchase price from the original USD 604 million by USD 150 million.
In both the Spirit and Verizon acquisitions, cybersecurity issues were largely addressed through valuation and deal structure, which limits financial losses but barely prevents future problems for a buyer, including loss of trust among customers and investors. Similar to the Spirit and Verizon acquisitions, acquirers typically use structural elements of a business to limit economic losses. Various mechanisms and structures – including representations, warranties, compensations, and asset purchases – can be used to effectively transfer the direct economic liabilities of an identifiable cybersecurity problem. However, they cannot compensate for the greater loss that would result from reputational risk or the loss of important trade secrets.
The examples from Spirit and Verizon show that cybersecurity risk has a quantifiable value. Acquirers who do not actively evaluate their M&A goals may introduce risk into their transaction without mitigating it. Given a limited time frame and the inherently opaque nature of a target’s cybersecurity issues, acquirers would benefit greatly from outsourced solutions that would not require trust or input from a target.
Ideally, the scope of such an assessment will reveal previously unknown deficiencies in the target’s security and exposure to business systems and key resources, including data and corporate secrets or intellectual property. Without this knowledge, acquirers enter into deals that are partially blind. The best course of action in the industry, of course, is to reduce risk. Adding this measure to your cybersecurity assessment is great practice today and likely a mandatory requirement in the future.