Global accounting firm EY recently surveyed 2,300 senior executives about their mergers activity over the previous year and turned up this disturbing result: Of those who had canceled a planned acquisition, 39% said the primary reason was “concerns about cybersecurity”.
Maybe it’s the Yahoo! Effect, fallout from the disastrous data breaches that disrupted the sale of the internet company to Verizon. Yahoo! had to knock $350 million off the sale price, and fallout continues with shareholder lawsuits and an SEC investigation.
Or maybe it’s just the general jitters of this WannaCry Era of ever-rising cyber risk to corporations.
Mergers and acquisitions do create some special due diligence and other challenges on the cyber side, such as:
- For an acquirer, scoping out the risk-management maturity level of the company to be acquired.
- Protecting the merger process itself, such as data security at the law firm handling the deal.
- Seeing around the corner to life after the deal, for instance, on the risk of security holes developing in merging two sets of databases, applications, intellectual property and security procedures—and the risk from malicious insiders if layoffs are part of the process.
Are mergers teams up to these challenges? A survey by international law firm Freshfields Bruckhaus Deringer LLP in 2014 of 241 “global deal makers” found that:
- 78% did not think cybersecurity was being analyzed in great depth as part of due diligence.
- 73% said that due diligence was more concerned with historic breaches than future threats.
- Only 39% said they make a review of cybersecurity policies a prerequisite to closing the deal.
- 66% said a big problem is that cybersecurity risks are difficult to quantify in a short time frame.
The Freshfields report also suggests a five-part framework for M&A teams to handle cyber risk in merger deals:
1. Data Management Risk
Quantify the value of the data and detail how it is protected.
2. Technical Risk
A forensic investigation of data encryption, firewalls and other protections.
3. Corporate Risk
Audit contracts with third-party suppliers to assess how they protect client data.
4. Employee Risk
Evaluate training, processes in place, and employment contracts.
5. Track Record
Investigate if the company suffered a data breach in the past and how it was handled.