Amid a growing number of high-profile corporate data breaches, cybersecurity is now a key issue for strategic acquirers. The hack of Yahoo, which came to light midway through its 2016 takeover by Verizon, resulted in a US$350 million purchase price reduction. The true extent of the hack has only recently been uncovered, demonstrating how damaging a large-scale data leak can be. With state-sponsored actors and opportunist hackers at work, and recent cyberattacks specifically aimed at obtaining inside information about transactions, a target’s cybersecurity must be front of mind. In our view, deal teams must consider how a data breach could impact a potential acquisition, before, during and after a deal.
Preparing for a Transaction — What Should M&A Deal Teams Scrutinise?
M&A deal teams must identify a target’s cyber assets and review security protocols and cyber defences, emphasising thorough technical due diligence. Diligence should include how data is stored and managed, where it is handled, and the data security measures implemented by third-party service providers. Acquirers should assess data sets including personal information, focusing on why information is being stored and whether storage is necessary and proportionate.
Acquirers should be alert to red flag issues; for example, lack of awareness about data protection and cyber issues; poor employee training on data security; failure to keep records of historic breaches; and regulatory investigations. Addressing poor practices post-close requires time and resources — buyers may prefer to factor costs into the purchase price, or require pre-closing remediation.
Cybersecurity and Deal Price— How Cybersecurity Issues Erode Value
Investigation, remediation, and notification can be expensive. Further, hacks and data breaches damage relationships, harm reputation and long-term consumer confidence, and can lead to regulatory fines, which in turn can damage long-term growth, and the inherent value of any M&A deal.
How Do Cybersecurity Concerns Affect the SPA?
When negotiating deals, acquirers should use the warranty and disclosure process to draw out information on historic cybersecurity issues and procedures. In our view, warranty requests tailored to cybersecurity concerns (including cyber insurance) are increasingly common and detailed. However, warranties only address pre-deal breaches, and are unlikely to protect the buyer if an issue arises post-closing, unless carefully drafted to give comfort that adequate security measures were in place at closing. Buyers may seek indemnities to address cybersecurity issues or preparedness shortcomings, although sellers are likely to resist such a request other than for specific known issues.
Security breaches can take months or even years to emerge, and buyers should continually assess whether the acquired business has the appropriate defences in place. A sophisticated, integrated approach (i.e. technical, structural, procedural, cultural) to planning and preparing for a cyberattack is required. Critically, a robust, tested, and rehearsed incident response plan is key to responding quickly and mitigating damages and risk.
It is often said that there are two kinds of companies: those that have already suffered a data breach and those that will suffer one. In our view, cybersecurity should be treated as a core aspect of modern M&A due diligence.