Cyber-Risk Considerations During the M&A Process

Data breaches are a constant in today’s headlines, with this risk front and center for some of the most significant mergers and acquisitions (M&A) deals in recent years.

For example, Verizon Communications discounted its acquisition price by $350 million in 2017 when Yahoo! Belatedly disclosed that it experienced several massive breaches. In November, Marriott International publicly disclosed that Starwood’s guest reservation database—containing hundreds of millions of personal records—had been compromised since 2014, prior to the Marriott acquisition.

These and countless other incidents raise critical questions: How should boards be thinking about cyber risk in the acquisition process?

First, boards must understand that cyber risk can have a significant impact not only on the valuation of a deal but also on future legal liability associated with the transaction. From a board’s perspective, the fallout from the Yahoo breach is significant—multiple securities class action lawsuits, directors and officers liability insurance (D&O) suits, and recommendations for  removal of directors from the board. The board’s responsibility in overseeing cyber risk management has never been more crucial.

What steps should Boards take to address this risk prior to the acquisition? Organizations need to conduct due diligence for a potential acquisition target. In some circumstances, there may be a public record of an organization’s cybersecurity posture. Organizations may have disclosed security incidents or issues due to an obligation to state or federal regulators, and these disclosures may provide insight for an acquiring organization.

But public disclosure is unreliable. Organizations are disincentivized to disclose because it may negatively impact market value, and acquisition targets know that security issues can negatively impact their valuation. In fact, a 2016 survey by Brunswick found that half of all respondents said they would “trim their valuation in situations where the target company had been breached – whether the breach was discovered before, during or after the merger.”

Acquirers will often try to send their cybersecurity and other information security teams onsite to gain a deeper perspective on the risks and issues that may arise post-acquisition. This is important to properly account for any security “fixes” your organization will have to implement to bring the target up to your standards. But this, too, comes with challenges. The tools available to an acquirer’s cybersecurity team include questionnaires and penetration tests, but even if the target agrees, these methods are both time-consuming and reflect only a “snapshot in time” view—not necessarily historical performance.

So, how can your organization address these challenges around market transparency? Investors are finding that security ratings can offer significant insight into a target’s cybersecurity posture and address the information asymmetry challenge. Similar to how a credit rating provides unique insight into the transactional history of a consumer, security ratings providers continuously collect data in an automated, non-intrusive fashion to generate a data-driven, objective rating of security performance. Broad and deep data sets are available that highlight security performance and best practices, giving unique insight into what has—or has not—been managed efficiently over time. Armed with this data, information security teams can drill deeper into the security details of an acquisition; valuation teams can consider more deeply some of the risks that were opaque.

It’s never been more important to consider cyber risk in your investments. The cyber risk that a given company presents has been an often-overlooked element during the M&A process, but it doesn’t need to be that way. Asking the right questions—and acquiring the right data—can go a long way toward reducing financial risk in a transaction. Board members should not hesitate to raise this issue with management during the next acquisition meeting.

Learn more about using security ratings for M&A at BitSight for M&A.