Cyber Risks During M&A Transactions - Buyer’s remorse

Merlin Namuth, Director of Advisory Services and vCISO, Beazley Security

When months of haggling and due diligence involved in a merger & acquisition (M&A) transaction are concluded and the deal is finally signed, all those involved can be forgiven for breathing a sigh of relief. Senior executives, their casts of legal and financial advisers, operational and acquisition teams can now hope to look forward to the fruits of the integration. However, if the deal teams have not included their cyber security colleagues or brought in additional cyber expertise then their satisfaction may be short lived. 

Despite the recognition of the threat cybersecurity poses businesses, more than a quarter (26%) of the global business leaders surveyed for Beazley’s annual Risk & Resilience research ranked cyber risk as the key technological risk their businesses face, the role of cybersecurity is often neglected during M&A negotiations and deals. Indeed, despite the dawning awareness more generally, when it comes to M&A, less than 10% of deals involve scrutiny of cybersecurity practices¹. This oversight can have profound financial, operational and reputational implications. 

The level of cybersecurity of a potential acquisition should be a key aspect of the due diligence process in any acquisition. Failing to take this into account can lead to extremely unwelcome financial, operational, and reputational consequences. 

A cautionary tale

The 2017 acquisition of Yahoo by Verizon should continue to give business leaders pause for thought, providing a cautionary tale and examples of how stiff the penalties can be when a data breach comes to light during the acquisition process². Verizon was set to acquire Yahoo for US$4.5bn³. However, before the transaction process was concluded, Verizon discovered that Yahoo had experienced data breaches in 2013 and 2014⁴. Yahoo lost US$350m of its purchase price⁵ and had to pay a US$35m Securities and Exchange Commission (SEC) fine⁶. Yahoo was also heavily penalised and had to pay an extra US$80m to its shareholders following a spate of lawsuits alleging that they had neglected to safeguard their data sufficiently⁷. This remains one of the most high-profile examples, but Yahoo is not alone. Cyber bad actors recognise that in the midst of M&A fever, firms can become distracted. Third parties also continue to represent a key entry point into larger, more secure organisations. As a result, the purchasing organisation must bring the acquired business into their securityfold as soon as possible post-acquisition to rectify any potential cyber security and third party deficiencies.

Acquiring unexpected risks

Companies may also acquire risks that have not been identified or quantified, which can lead to unexpected costs post-acquisition. The integration of IT systems can create vulnerabilities if not planned carefully, with planning crucial to successful and secure integrations. Standardising, from security tools to protocols, is essential to maintaining the security of the combined organisation. Acquired companies may also have contracts with third parties that pose security risks. It is important to assess these relationships and ensure compliance with security standards. 

Not all cyber risks are as sinister as a bad actor lurking in the acquiree systems. More rudimentary challenges can often lead to significant headaches and potentially the acquired party failing to realise expectations. Domain expirations and a lack of administrative credentials can cause significant disruptions. As such, ensuring control over such critical assets from day one is vital.

The risks do not end there. While corks may be popping to celebrate the deal in Boardrooms, disgruntled employees of the newly acquired company may pose a risk to the security of the organisation. Monitoring and managing access rights is a key step in mitigating this risk. There are also the inherited compliance requirements to consider. Understanding the acquired company's obligations and audit schedules is important to avoid penalties and ensure continuous compliance.

Involve cybersecurity expertise from the get-go

The financial impact of cyber risks in M&A transactions can be substantial. Costs associated with additional security measures, staff, and remediation efforts can run into hundreds of thousands of dollars. Moreover, the valuation of a company can be affected if significant cyber risks are identified during due diligence. Having a cybersecurity-team involved at the start of the transaction rather than simply tasking them with integration post-acquisition will help to ensure these potential issues are managed early in the process. Expanding the acquisition team will also showcase where additional resource and third-party expertise may be needed. 

Acquisitions are time consuming, and the potential pitfalls are myriad. Integrating cultures and strategies to retain the value of an acquired business takes careful planning and a clear strategy. This also applies to the integration of technologies and systems, balancing the desire to generate operational efficiencies with the need to maintain cybersecurity.

Cybersecurity is a critical aspect of M&A transactions that requires careful consideration. By incorporating cybersecurity into the due diligence process and planning for post-acquisition integration, companies can mitigate risks, protect their investments and, ultimately, avoid buyer’s remorse.