Why Cybersecurity Is Critical to Your Deal’s Success
Conducting due diligence during the M&A process doesn’t just mean reviewing a target’s financial statements and operations. Not anymore, anyway. These days, in addition to performing financial, legal and operational due diligence, buyers need to scrutinize a potential acquisition’s data and IT networks.
Why? Look no further than the Yahoo/Verizon deal (finalized in Summer 2017), where negotiations came to a screeching halt after Yahoo admitted that hundreds of millions of its user accounts had been hacked. Unfortunately, lax cybersecurity can affect a merger’s terms, valuation, post-merger integration — and, of course, simply kill the deal.
When a buyer acquires a company, it also acquires the target’s present and future data security issues. Given the potential costs and legal obligations this inheritance represents, you need to be careful about courting a seller with a history of cyberbreaches.
Many buyers already are. A 2016 NYSE survey of public company directors and officers found that more than half believe that data vulnerabilities would significantly lower the value of a potential target. About 85 percent agreed that major vulnerabilities in a seller’s software assets would “likely” or “very likely” affect their final purchase decision. In addition, 22 percent said they’d likely abandon a deal if the company suffered a high-profile data breach.
Into the Breach
The Yahoo deal is a perfect example of how a data breach can wreak havoc in an M&A deal negotiation. In June 2016, Verizon agreed to acquire Yahoo’s core Internet business for $4.8 billion. In the following months, Yahoo disclosed that it had been hacked in 2013 and 2014, affecting possibly 1.5 billion email accounts.
In response, Verizon extended the deal negotiation process and reduced its offer by $350 million. It also negotiated for Yahoo to share in current and post-merger legal responsibilities and costs associated with the breaches.
Under these circumstances, selling businesses shouldn’t be surprised when potential buyers express interest in the security of their data. Before even entering the M&A market, sellers should devise and implement a strong cybersecurity policy. Doing so includes performing regular audits and pinpointing system weaknesses. Sellers — particularly those that have been relatively lax about cybersecurity — may need to increase their IT security budgets.
Prospective buyers are likely to look for several things during the due diligence stage, including compliance with all applicable federal, state and international standards. For example, companies generally must report data breaches to customers within a certain timeframe.
If your business has suffered data breaches:
- Record and describe them in detail,
- Tally any past or outstanding legal obligations and related costs,
- Demonstrate how the breaches were successfully resolved, and
- Explain what steps you’ve taken since to prevent future hacking.
To reassure buyers that the same thing won’t happen again, consider engaging a third party to conduct a fresh IT audit. Your M&A advisor can help you find an appropriate expert.
Taking It Seriously
There’s no going back. In 2018, every company must take responsibility for protecting its data and networks from hacking. This pressure is even stronger if you hope to sell your business because, even if you don’t take IT security seriously, your buyer certainly will.
MFA works with businesses of all sizes to assess their cybersecurity programs and make proactive recommendations for cyber preparedness. Whether you’re a single-owner small business, a high-tech startup in growth mode, or a stable franchise keeping a close eye on P&L, we can help. Contact us today to schedule a cybersecurity risk assessment and begin taking steps to safeguard your business.
Material discussed in this communication is meant to provide general information and should not be acted on without obtaining professional advice tailored to you or your company’s individual and specific needs. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used by any person or entity, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. This information is for general guidance only and is not a substitute for professional advice.
The information contained herein should not be construed as personalized investment advice. Investment in securities involves the risk of loss, and past performance is no guarantee of future results. There is no guarantee that the views and opinions expressed in this document will come to pass. Historical performance results for investment indexes and/or categories generally do not reflect the deduction of transaction and/or custodial charges or the deduction of an investment-management fee, the incurrence of which would have the effect of decreasing historical performance results. There can be no assurances that your portfolio will match or outperform any particular benchmark.
Information presented was obtained from sources deemed qualified and reliable; however, MFA makes no representations as to accuracy, completeness, suitability, or validity of any information within this communication and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. Any forward-looking statements are believed to be reasonable; however, MFA gives no assurance that such expectations will prove to be correct.