Amid a growing number of high-profile corporate data breaches, cybersecurity is now a key issue for strategic acquirers. The hack of Yahoo, which came to light midway through its 2016 takeover by Verizon, resulted in a US$350 million purchase price reduction. The true extent of the hack has only recently been uncovered, demonstrating how damaging a large-scale data leak can be. With state-sponsored actors and opportunist hackers at work, and recent cyberattacks specifically aimed at obtaining inside information about transactions, a target’s cybersecurity must be front of mind. In our view, deal teams must consider how a data breach could impact a potential acquisition, before, during and after a deal.
Preparing for a Transaction — What Should M&A Deal Teams Scrutinise?
M&A deal teams must identify a target’s cyber assets and review security protocols and cyber defences, emphasising thorough technical due diligence. Diligence should include how data is stored and managed, where it is handled, and the data security measures implemented by third-party service providers. Acquirers should assess data sets including personal information, focusing on why information is being stored and whether storage is necessary and proportionate.
Acquirers should be alert to red flag issues; for example, lack of awareness about data protection and cyber issues; poor employee training on data security; failure to keep records of historic breaches; and regulatory investigations. Addressing poor practices post-close requires time and resources — buyers may prefer to factor costs into the purchase price, or require pre-closing remediation.