Cyber risk remains a top concern for modern CEOs who see it as a potential disruptor to their business in the next 12 months. This becomes particularly significant given the global anticipation of an M&A rebound this year: dealmakers would not want to risk their long-awaited strategic moves due to the poor cybersecurity posture of a target.
In this article, we focus on the role of M&A cybersecurity during due diligence, explain how cyber risk assessment can impact the valuation and negotiation process, and explore where cybersecurity risks intersect with other M&A risks.
The role of cybersecurity in M&A
According to Gartner, 62% of IT and business leaders believe that their companies face substantial cybersecurity risks when acquiring new businesses, with cyber risk being their primary concern among other post-merger challenges.
The role of cybersecurity in mergers and acquisitions indeed shouldn’t be underestimated. Failing to identify and address security problems and risks in M&A in the early stages of a deal can lead to serious financial and reputational consequences for both the acquiring and target companies. Here are a few cases:
TalkTalk, a U.K.-based telecom company, faced a £400,000 fine after a cyber threat actor accessed a customer database it acquired, resulting in a significant data breach.
The valuation of Verizon’s acquisition of Yahoo’s internet business dropped by $350 million following Yahoo’s disclosure of three major data breaches compromising over one billion customer accounts.
A massive data breach in Starwood’s reservation system exposed nearly 400 million guest records and resulted in a $123 million GDPR fine for Marriott due to inadequate data privacy measures during the acquisition process.
In mergers and acquisitions, the focus has traditionally been on areas like finance, legal, and operations, with cybersecurity due diligence often overlooked. However, it’s becoming increasingly clear that organizations considering M&A transactions could benefit from a more dedicated security vulnerability assessment.
CEOs and M&A decision-makers must approach the question of cybersecurity proactively, as a potential data breach can pose a substantial threat to critical business assets, such as intellectual property or customer information.
This risk assessment shouldn’t be a one-time event but rather an ongoing process. That’s why it’s crucial to assess acquisition risks before integration. It’ll help organizations mitigate potential cyber incidents.
Cybersecurity due diligence in the M&A process
About 60% of companies involved in M&A activity consider cybersecurity posture a crucial factor in the due diligence process.
Let’s explore the key components that should be included in mergers and acquisitions cybersecurity due diligence. They will help uncover any security issues and liabilities, assess the costs for remediation, and minimize business disruptions:
- Data security and regulatory compliance
Conduct a comprehensive security audit and assess the target company’s compliance standards with data security and privacy regulations such as GDPR, CCPA, HIPAA, etc. Review data protection policies and procedures to identify any gaps or non-compliance issues.
- Cybersecurity infrastructure
Evaluate the effectiveness of the target company’s cybersecurity infrastructure, including firewalls, intrusion detection/prevention systems, encryption methods, managed security services, and access controls. Identify any weaknesses or vulnerabilities that could be exploited by cyberattacks.
- Incident response and recovery capabilities
Review the target’s incident response plan and procedures to assess their readiness to detect, respond to, and recover from cybersecurity incidents. Evaluate the effectiveness of their incident detection and response capabilities, including monitoring tools and protocols.
- Third-party and vendor risk management
Evaluate the target firm’s relationships with third-party vendors and assess the cybersecurity concerns associated with these partnerships. Review vendor contracts, security assessments, and incident response plans to identify potential vulnerabilities and dependencies.
- Employee training and awareness
Assess the target’s cybersecurity training and awareness programs to ensure that employees are educated about cybersecurity best practices and aware of cybercrime within the evolving threat landscape. Evaluate the effectiveness of these programs in reducing human error and mitigating insider threats.
- IT systems integration risks
Evaluate the potential cybersecurity risks associated with integrating the target’s technology systems and infrastructure with those of the buyer. Ensure secure data migration. Identify any compatibility issues, security gaps, or vulnerabilities that could arise during the integration process.
Impact of cybersecurity on valuation and negotiations
Cybersecurity due diligence findings or hidden cybersecurity issues that prove a target’s poor cybersecurity posture can immensely impact the deal valuation and the negotiation process.
We discuss the possible effects below.
Purchase price reduction
If a cybersecurity team of an acquiring company finds out that the cybersecurity processes of a target company have certain vulnerabilities, this can be reflected in the purchase price. In this case, the potential costs for addressing identified issues, such as system upgrades, hiring security experts, or implementing new protocols, might be factored into a purchase price.
There are two common ways in which purchase price can be impacted:
- Direct costs
Suppose the buyer’s M&A security due diligence team discovers the target has outdated security infrastructure. In that case, it may reduce the purchase price to account for the investment required to bring systems up to standard.
- Liabilities and potential fines
Suppose a due diligence team reveals that a target company’s security teams provide services that are non-compliant with certain data protection regulations, such as HIPAA or GDPR. In that case, the buyer might adjust the purchase price to mitigate potential future liabilities.
Future earnings adjustments
If an acquiring company discovers certain cyber risks post-acquisition, it can necessitate adjustments in future earnings projections. This is because a buyer might face unexpected expenses related to the improvement of current security measures network, legal liabilities, or recovery from data breaches, which can all detract from the anticipated financial performance.
This is how future earnings adjustments can be reflected:
- Revenue impact
A company’s future earnings might be adjusted if cybersecurity issues are likely to affect customer trust and, as a result, revenue. For instance, if a breach becomes public, it can lead to a loss of clients or contracts, reducing the company’s future revenue projections.
- Operational disruptions
The potential risks of operational disruptions due to cybersecurity attacks (for example, ransomware) can affect a company’s valuation. If a target company’s operations are vulnerable to cyberattacks, this risk can lead to an adjustment in the expected cash flows, thereby lowering the overall valuation.
Revision of negotiation terms
The disclosure of certain cybersecurity vulnerabilities can lead to the two companies revising the deal’s negotiation terms. This includes renegotiating certain aspects to protect the buyer from potential losses or liabilities related to undisclosed cybersecurity issues.
Additional read: Learn more about the difference between the buy-side vs. sell-side of M&A in our dedicated article.
The most common items of the negotiation process that are impacted by the cybersecurity risks disclosure are the following:
- Escrow and holdbacks
To mitigate risks, part of the purchase price might be held in escrow or subject to holdbacks, depending on the resolution of identified cybersecurity issues.
- Representations and warranties
Buyers may require sellers to provide warranties against future cyber incidents or breaches that occurred before the acquisition. For instance, this can include warranties that the company complies with relevant cybersecurity regulations and standards.
Brand and reputation damage
Disclosed cybersecurity issues can harm the brand and reputation of the acquired company, and potentially the acquiring company as well. This damage can lead to a loss of customer trust and loyalty, negatively affecting market position and revenue, and may require significant effort and resources to rebuild.
Among the ways of how cybersecurity issues can affect the organization’s reputation are the following:
- Public perception
A company’s reputation regarding cybersecurity can influence its market value. Companies known for strong cybersecurity practices may enjoy a premium valuation, while those with poor records may face discounts.
- Customer trust
Disclosure of certain cybersecurity problems may also undermine the level of trust customers have in a company’s ability of their data protection in the mergers and acquisitions process. As a result, this can significantly affect customer retention and acquisition, directly impacting revenue and valuation.
Comparing cybersecurity risks with other M&A due diligence factors
Now, let’s briefly review how M&A cybersecurity concerns are similar and different from other types of risks in mergers and acquisitions, and find out whether they intersect.
As seen from the table, cybersecurity risks are often either the reason for other M&A risks or their result. This only highlights the importance of timely and accurately addressing cybersecurity for M&A success.
Key takeaways
- Poor cybersecurity practices in M&A can lead to significant financial losses and reputational damage for both parties involved.
- Cybersecurity due diligence should include the assessment of data security, compliance, cybersecurity infrastructure, incident response, recovery capabilities, third-party and vendor risk management, employee training and awareness, and IT systems integration risks.
- The main effects of cybersecurity issues on valuation and negotiation processes are the reduction of purchase price, future earning adjustments, revision of negotiation terms, and reputational damage.
- Cybersecurity issues during M&A can also be a reason or result for other M&A risks, such as financial, operational, legal, and strategic.