Many don’t consider digital risk when negotiating M&A deals. But understanding digital security is as crucial a part of the decision to invest as financial diligence – and failure to do so could cost dealmakers dearly.
The UK M&A market is experiencing a healthy level of activity with 7,539 deals announced in 2018. And numerous academic studies and articles show that between 70% and 90% of all M&A deals fail.
Because buying any business is so fraught with risk, acquirers spend a significant amount of time, effort and money on corporate and financial due diligence. One area that many dealmakers continue to underestimate or miscalculate, however, is digital security risk. Merrill Corp and Euromoney Institutional Investor’s recent study, DueDiligence2022, found 55% of M&A deals are delayed because of a target organisation’s questionable digital security.
Vijay Rathour, Head of our digital forensics group says acquirers need to be sure if the company has experienced an overt or covert cyber incident that may have a detrimental impact on the valuation of the business.
Connecting unpatched, compromised or infected systems to the acquirer’s IT network can carry over vulnerabilities and historical system compromises, risking data theft, ransomware and other types of attack. The ramifications could end up costing far more than the deal’s value.
This is especially so since the advent of the European General Data Protection Regulation (GDPR) with potential fines of up to 4% of a company’s annual turnover for a data breach. “GDPR has given the regulators a big stick and they are starting to use it,” says Rathour. “We are seeing the prospect of significant fines, potentially into nine figures.”
“A company’s leadership must understand that digital risk can have a significant impact, not only on the valuation of a deal, but on future legal liability associated with the transaction,” explains Jake Olcott, Vice President, Government Affairs at BitSight, an independent security ratings platform.
This ‘cyber debt’ is highest when a larger, established business acquires a smaller firm or start-up. The smaller company will typically have a less mature approach to digital security and fewer resources to protect itself.
Unfortunately, many acquirers only discover a problem post deal as the target company itself might not even be aware of a cyber attack. Current studies show that it can take a business 279 days to identify that it has suffered an attack and then contain its impact.
This failure to identify problems with the cyber health of the business can result in costly mistakes, as demonstrated by the acquisition of Yahoo by US telecoms giant Verizon. During negotiations, Yahoo disclosed three massive data breaches, reportedly affecting three billion users, that took place between 2013 and 2016. When the deal closed in 2017, Verizon knocked $350 million off the original $4.8 billion price that had been agreed.
Acquirers and investors can use digital due diligence services and cyber audits, as well as specialist cyber insurance, to safeguard the merged organisation.
“Digital risk should be treated as any other source of risk and investigated,” explains Andrew Scott, Assurance Regional Lead Scotland at IT security firm Context Information Security. “Does the target have a valid approach to detecting and managing digital risk and is that process fit for purpose? Are there digital risks on the risk register? If not, the cyber position should be treated as unknown and priced in or investigated as appropriate.”
Acquirers should conduct thorough cyber diligence and assess the business’s approach to digital security as a whole, from staff training and awareness to specific security measures, such as data loss prevention, and even incident logs. This should be backed up by interviewing senior security officials in the target firm.
Digital experts, who can advise the M&A team, should report on the cyber hygiene of the business and recommend measures to fix or mitigate security shortfalls, or express a view on the commercial impact of leaving these issues unchecked.
From the seller’s point of view, firms can also take steps to improve the marketability of the business and preserve its valuation.
“They need to make sure their cyber security processes are robust and have recently been reviewed,” says David Petrie, Head of the Corporate Finance Faculty at the ICAEW. “The acquirer will be looking at that pretty carefully.”
While target companies are expected to disclose known security breaches to a potential buyer, unknown breaches obviously present an unpredictable risk. One option is to extend warranty and indemnity insurance for the deal to cover digital risks. A policy will reassure the acquirer that the company’s protection measures are fit for purpose or, should a historical cyber incident come to light demonstrating that they are not, the insurance can compensate the acquirer.
“It is easy to state that you have never suffered a fire, but much harder to say you have not suffered a cyber attack,” says Rathour.
Digital due diligence takes time and costs money. But the price of a cyber audit is relatively small set against the value of a deal or other professional fees, and can be dwarfed by potential fines for a data breach.
“M&A teams are improving their understanding of digital risks, but there is still a significant knowledge gap,” says Tony Vizza, Director for Cyber Security Advocacy, APAC at non-profit membership association (ISC)2. “We highly recommend that M&A teams hire cyber security certified experts who can assess a target’s IT security defence.”
This will only become more critical as data becomes increasingly valuable and more business is carried out online. “We are still only at the start of where this will take us,” adds Rathour. “Hackers will find their way into any organisation if it’s not properly protected".
“That message can get lost in M&A, but if you explain to businesses that poor encryption standards could cost £100 million they begin to understand why cyber due diligence is as critical as financial diligence.”
Mike Thornton, partner, leads our global valuation network, which looks at how digital risks may affect a company’s valuation during M&A.
“When you buy a company, you buy its data. And you take responsibility for its data security – past, present and future. That can mean inheriting its cyber failings, which can have a significant impact on its value. The onus is now on an acquiring business to assure that the value of the data they’re taking ownership of is protected.
“A cyber breach can affect a company’s value in a number of ways: from IP theft and business interruption to lost revenue due to trust being damaged. It can take weeks or months for a listed company’s market cap to recover.
“Despite these risks, M&A practitioners have been routinely overlooking cyber security when valuing and buying companies. But in the digital era, cyber due diligence needs to be part of every transaction.
“Ultimately, it will enable the correct valuation of the target’s information assets, leading to a more accurate assessment of the value of the business as a whole. And most of all, it will help you to preserve that value.”
For more on how digital risks may affect your business during M&A, contact Vijay Rathour, Head of the Digital Forensics Group.
