Cyber Security Due Diligence Has Become a Fundamental Part of M&A Transactions

Data breaches and a failure to comply with governmental and industry standards can impact a company in many ways, as Yahoo is finding out the hard way. The company’s recent disclosure of a massive data breach, which resulted in 500 million user accounts being compromised, resulted in multiple class action lawsuits being filed against the company and may trigger a government investigation into why it took so long to disclose the breach.

The Yahoo breach and what it says about cyber security due diligence has also shaken up the mergers and acquisitions (M&A) world, and the hack may have put its planned acquisition by Verizon at risk. CSO Online reports:

Verizon has signaled that Yahoo’s massive data breach may be enough reason to halt its US$4.8 billion deal to buy the internet company.

On Thursday, Verizon’s general counsel Craig Silliman said the company has a “reasonable basis” to believe that the breach involving 500 million Yahoo accounts has had a material impact on the acquisition. This could give the company room to back out or get a large discount.

“We’re looking to Yahoo to demonstrate to us the full impact,” he added. “If they believe that it’s not, then they’ll need to show us that.”

As data breaches, ransomware, DDoS attacks, and other cyber attacks escalate in frequency, severity, and cost, cyber security due diligence has emerged as a serious issue in the M&A sector. Information security issues at an acquisition target could significantly impact a deal’s price, keep the deal from going forward at all, or, if the problems are not detected during the due diligence process, inflict a world of pain on the acquirer company; should its deal to acquire Yahoo go through, Verizon is reportedly planning to put $1 billion in reserve to cover the costs to clean up the breach.

While the Yahoo breach has put cyber security due diligence into the spotlight, scenarios where M&A deals were negatively impacted by cyber security issues have been occurring for some time. A recent survey of senior M&A executives by consulting firm West Monroe Partners, published several months before the Yahoo hack, found the following:

• 80% of respondents felt cyber security issues were “highly important” to M&A due diligence
• 40% of acquirers had discovered a cyber security issue at an acquired firm after a deal had gone through
• 32% of respondents pointed to a lack of qualified personnel involved in the diligence process in recent deals

Respondents also reported that the three most common cyber security problems uncovered during the M&A due diligence process were compliance issues (70%), the lack of a comprehensive data security infrastructure (40%), and vulnerability to insider threats (37%).

What Can Acquirers and Acquisition Targets Do?

The Yahoo hack did not happen out of thin air; it was the result of years of the company repeatedly putting the product user experience ahead of security and refusing to implement even the most basic proactive cyber security measures. Acquisition targets must take their cyber security as seriously as they take their accounting practices. This includes not just protection against breaches but ensuring that the company is compliant with all applicable regulatory and industry standards. Conversely, acquirers must pore over a target company’s cyber security and compliance practices as carefully as they would the company’s books.

Additionally, nearly 1/3 of the respondents to the West Monroe survey complained of a lack of qualified personnel to perform cyber security due diligence. This is not surprising. Cyber security is a complex, dynamic field; new threats and technologies are emerging daily, and most firms do not have the monetary or human resources to handle their own information security in-house. Outside cyber security experts should be involved in the M&A process on both ends. Target companies should have security vulnerability studies conducted before putting themselves on the market, and acquirers must enlist help to perform due diligence during the acquisition process.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call +1 (888) 896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure its systems.

Schedule some time with our Superheroes for a Free Assessment!