Last year was a record year for both the number of mergers and acquisitions and the number of cyber-attacks around the world. Data breaches can have drastic short- and long-term financial consequences on a company, in the form of forensic investigations, customer notifications and litigation, reduced sales from loss of customer loyalty, government data privacy regulatory action, and in the case of trade secrets, loss of competitive advantage. What this means for executives is that ignoring cybersecurity during acquisitions can bring potentially significant liabilities to their company and risks to the deal value and return on investment. And to make matters worse, if the target company is not already compromised, security research across the industry shows that transactions are a favorite target for hackers. By exploiting the increased levels of external email and document exchanges during the transaction process, hackers are able to easily achieve their goals of gaining access to confidential information that unsuspecting companies assume is secure — intellectual property, manufacturing techniques, personally identifiable information, strategy documents, customer pricing, supplier data — for market manipulation, antitrust use and financial gain.
The good news is that cyber due diligence can go a long way toward identifying and mitigating these risks, if clients address the risk with the correct approach. In addition to having knowledge of the technological aspects of cybersecurity to ensure IT systems and deal processes are secure, it is also essential that you understand the business aspects of why and what confidential information is being targeted by hackers. This combined approach will allow you improve your strategic decision making and protect short- and long-term stakeholder value.
It’s no longer enough to hire the best-in-class technical cybersecurity experts. The Board of Directors, Audit Committee and C-suite all need to know what strategic imperatives of their company are at risk in the event of a cyber breach related to a transaction. They need a detailed understanding and quantification of how those risks may impact the company’s post-closing revenues, profits, market value, market share and brand reputation. Given both the heightened risk and the continuing pace of global M&A activity (as projected by EY’s October 2015 Global Capital Confidence Barometer), cyber risks related to inorganic growth strategies and transaction deal processes are taking a more prominent position in boardroom discussions with C-suite executives and all key stakeholders.
An approach for each phase of a transaction
Assessing cyber risks during strategy and target identification
The impact of cyber risks should be factored into your decision making at the earliest stage of the transaction lifecycle — strategy and target identification. Gaining an understanding of cyber risks and modeling the impact of those risks to financial forecasts and potential valuations of a specific target company is possible without engaging directly with the target.
For example, an EY team conducted a recent “passive” assessment for a client in the retail and consumer product sector that was interested in acquiring a competitor. By performing “dark” web searches, understanding external internet-facing vulnerabilities and modeling the financial impact of the cyber risks identified for this possible growth strategy, we were able to help our client redirect its focus to an alternative competitor that had similar strategic value but less costly cyber risks. It’s important to understand that the cost of cyber risks may not only impact a company’s return on invested capital, but that attacks can result in loss of competitive advantages, costly remediation, fines and possibly years of litigation, depending on what is stolen.
Assessing cyber risks in due diligence and deal execution
During due diligence and deal execution — the second and third phases of the transaction lifecycle — it is important to look for insufficient investment in cybersecurity infrastructure, a lax attitude toward cyber risk, and terms and conditions in customer and supplier contracts which may have a financial impact or result in litigation for noncompliance.
If due diligence or an investigation reveals an ongoing breach, the merger needs to be paused in order to mitigate the risks and patch any holes. You want to avoid what happened to two companies recently, which discovered after their deals closed that cyber breaches and significant data thefts had occurred just weeks prior to closing.
Cybersecurity inquiries related to rep and warranty insurance also prompted a client to ask for help after signing, but one week before closing, a proposed transaction. Discoveries of risk included noncompliance with cyber-related data privacy laws, and potentially massive litigation and reputational risk in the event of a data breach because the target had made binding promises about its information security to its most important customers. As a result of not evaluating the target company’s cyber risks prior to signing the purchase agreement, the client was unable to negotiate a reduction in purchase price to cover the costs of remediation or defer closing the deal until the remediation was complete.
Assessing cyber risk during integration
Executives and advisers now understand that the standard cyber risk checklist process is not working. If you ask if something is encrypted or segmented, the answer may be yes, but that segmentation has seven different layers and is far from simple. Integration teams need to have the expertise to explore and delve into the smallest of details. When connecting two corporate networks, the entire company becomes vulnerable to cyber risks.
During the integration process, not only is there is an increased risk of theft of intellectual property by disgruntled employees, there is also risk of malware moving from one corporate network to the other and unauthorized access by departing users due to poor off-boarding processes.
In the case of another acquisition, the company performed cybersecurity diligence but the due diligence team was not able to translate the technical risks into business risks — a possible customer-record data breach through internet-facing computers. After the breach was discovered post-integration, EY was asked to help the acquiring management team assess the gaps in the cyber due diligence and integration processes. We showed the C-suite how, by translating the technical issues which were identified during diligence into financial, reputational and litigation challenges, the cyber risks would have been more broadly understood and could have been acted upon prior to the transaction closing.
Post-transaction value creation
Of course, post transaction there are lots of opportunities for portfolio improvement and growth through continued monitoring of cyber risk. For example, if a company has low cyber maturity — as benchmarked against industry standards and competition — it could impact growth plans and brand reputation due to cyber incidents and possible fines. A breach or compliance issue could cause regulators to investigate similar companies or divisions in your firm’s overall portfolio leading to a financial loss and potential stalling of exit plans. Cyber issues can also lead to legal action by customers and suppliers causing value loss and exit delays with lower returns.
Cyber due diligence helps companies identify cyber threat vulnerability through the transaction life cycle from strategy to integration. Where companies are exposed to cyber risk or they rely on electronic information assets and platforms as a critical business enabler, considering cyber in due diligence is imperative to identify factors affecting valuation and also the potential risks to and opportunities for creating future value. It strengthens a firm’s negotiating position by identifying and putting a dollar value on the biggest security risks of the target company. Cyber due diligence also demonstrates to companies’ boards and regulators that management is actively seeking to protect the value and strategic drivers of the transaction and also to lower the risk of a cyber-attack against the target company before integration. These risks and upsides can then be factored into the initial price paid and performance improvement investments that will raise the transaction value, enabling a robust equity story to be presented to investors.
Cyber risks during the deal process
According to published reports, hackers have already broken into the computer networks of several large U.S. law firms with the FBI and the Manhattan U.S. Attorney’s office now investigating these breaches. Hackers have threatened more such attacks in postings on the internet, and these particular attacks signal that thieves are scouring the digital landscape for more sophisticated types of information than credit card accounts. Law firms, financial advisers and other associated firms are attractive targets because they hold trade secrets and other sensitive information about corporate clients, including details about undisclosed M&A that could be stolen for insider trading or to gain a competitive advantage in deal negotiations. At the end of 2015, the FBI actually warned advisory firms that securities traders were using “hackers-for-hire” to access the email accounts of more than 100 executives in an attempt to get privileged information around deals.
The risk of attack starts before an official merger announcement is even made. Attackers look for hints that a company is considering a merger, acquisition or divestiture through industry gossip including a slowdown in a company’s release cycle or staff reductions, and data leakage on social media blogs. There are three primary ways that information is at risk: (1) a hacker works into the network through holes in the defenses, starting with a company’s internet-facing computers; (2) a hacker launches a social engineering attack against a company employee; and/or (3) company insiders (employees, contractors, vendors) release or sell sensitive data and information whether maliciously or just negligently.
M&A is a time when the inside details of a business are shared with multiple third parties, including all vendors involved in the process, even cloud-based service providers; a time when core intellectual property is exposed; and a time when businesses are often carved out or integrated across IT and operational boundaries. These attacks often go undetected because many companies don’t employ a heightened cybersecurity monitoring during the transaction process.
Organizations today clearly are not prepared for the increased cyber risk, particularly during the transaction process. In EY’s Global Information Security Survey (GISS), 56% of respondents said that it is “unlikely” or “highly unlikely” that their organization would be able to detect a sophisticated attack. Less than 20% of organizations said they have real-time insight on cyber risks according to the same survey. Yet, understanding the cyber risks involved when buying or selling companies is critical to the success of the transaction.
In EY’s October 2015 Global Capital Confidence Barometer, 45% of respondents said that they are increasing measures to protect against cyber breaches of the M&A process and 41% said they are more concerned about business cyber breaches than they were 12 months ago. And for good reason. Because cybersecurity has emerged a top risk consideration for boards today, CFOs and C-suite executives will undoubtedly be under fire and scrutiny to demonstrate how their company is protecting, responding and mitigating possible leakages.
In summary, cyber diligence calls for a two-pronged approach. Companies must bridge the gap between the technical cyber risks and related business impacts throughout the transaction lifecycle to protect the transaction’s return on investment and the company’s value post-transaction. In addition, all parties involved in the deal process need to be aware of and monitoring for the increased threat of a cyber-attack during the transaction processes itself. Applying this two-pronged approach during M&A will serve to ultimately protect stakeholder value.