Nothing can vaporize enterprise value faster than a cyber event, especially at a juncture as critical in a company’s life as an M&A deal.
Given the notorious complexity of M&A transactions, a proper assessment of the target company’s exposure to cyberrisk can be easily overlooked, as other concerns dominate management’s attention. But the number of exposure points for businesses have increased because of factors like the popularity of cloud computing, the use of software-as-a-service technology, the Internet of Things, and reliance on third-party processing solutions. The introduction of the recent General Data Protection Regulation in Europe and other info-security regulation is also set to have huge potential impact on these types of transactions.
As a result, cybersecurity due diligence during the deal process must move from only a priority for technical and information security teams — and an irritating afterthought to corporate development teams — to a high priority among senior executives across all industries. Just look at the impact of the Yahoo-Verizon deal, when the price dropped $350 million after two cyberattacks. Every day in the news, and behind the scenes, we see the growing impact of cyberrisk across organizations and increasing overall enterprise risk.
Cybersecurity due diligence should be part of the standard diligence process, alongside issues such as compliance with Foreign Corrupt Practices Act and Anti-Money Laundering laws, financial concerns, information technology, and management teams. Securing the deal process itself is also a huge concern, given the multiple parties and commercially sensitive data involved, which make all entities involved a target for hackers.
Effective pre-deal due diligence means conducting comprehensive cyber risk assessments on target companies. That should include a 100-day, post-deal tactical plan that accounts for any necessary remediation. A risk-based approach is needed because, for example, IP and trade secret due diligence will be of great importance in the context of transactions whose value rests on technology innovations, or in complex geopolitical environments with high incidence of corporate espionage. In these cases, full source code reviews must be conducted to ensure and document the company’s original ownership. If that were undermined, it could kill a deal or cause serious problems later on.
Equally, when companies manage or own confidential or regulated information, such as under Health Insurance Portability and Accountability Act, their technical controls and compliance measures around this data must be assessed. In general, it’s crucial that the information security teams should be engaged early in the process to ensure there is time to probe the security posture in sufficient detail. It may be necessary to conduct penetration tests, for example, and review policies and incident response readiness plans. This approach will also allow the acquiring entity to adjust representations, warranties and escrows accordingly, to ensure cooperation and adherence to remediation plans.
Post-deal cybersecurity due diligence is also fast gaining traction with private equity and holding companies as they evaluate the maturity of their portfolio and identify the most common and urgent vulnerabilities. This type of continuous assessment is particularly critical, given the interconnectivity that exists within many business scenarios, where a successful cyberattack on one company could impact the return profile of the entire portfolio. Once the risk is assessed, there is often potential for significant cost savings when implementing security best practices across multiple companies. That is also a good time to consider risk transfer options to protect against business interruption and other cyber-related risks.
We will undoubtedly continue to see M&A deals being undermined or even abandoned because of unaddressed cybersecurity issues. However, heightened awareness among growing numbers of executives is starting to lead to more thorough cybersecurity evaluations as part of fundamental due diligence when investing. Previously, cybersecurity due diligence was about reviewing documentation and moving on, but now companies are beginning to properly assess the security posture of target companies. It can validate valuations and will ultimately protect the investment for the long term.
Jason J. Hogg is Chief Executive Officer, Aon’s Cyber Solutions Group, and a Senior Lecturer of Innovation and Technology at Cornell University’s Johnson School.
