Cyber Security Due Diligence in M&A

Whilst Buyers appreciate the importance of conducting an early assessment of the target company’s cyber posture, only one third of them incorporate cybersecurity diligence into the early stages of the transaction process (e.g., when identifying and screening the target, and during the pre-signing due diligence).

In a recent research of M&A participants, Forescout Technologies reported findings that not enough time is afforded to the IT team to review the company’s cybersecurity framework of standards, processes and protocols before the company acquires another company. The in-house IT teams are not sufficiently trained to perform the needed assessment and the Buyers rarely set aside pre-acquisition budgets for IT audits or cybersecurity risk assessments performed by external advisors.

Cyber due diligence before a deal announcement can be particularly difficult in cases where the Seller shares limited information. More than 50% of the respondents acknowledge that post acquisition, their companies have experienced acquisition regrets due to cybersecurity concerns resulting from failing to address three key risk factors: human error and configuration weakness, connected devices, and data management and storage systems.

A costly example was Marriott's acquisition of an industry competitor, Starwood, a few years ago. The acquired business, Starwood, had been a victim of an undetected data breach since 2014. However, the Buyer, Marriott, detected a data breach of 500 million of their guests in 2018, two years after the acquisition took place. Consequently, the Buyer was fined US$24 million (GBP18.4m) by the Information Commissioner's Office (ICO). A rapid post-acquisition cyber security audit of the target company could have identified the hacking of the Starwood systems, and tighter recourse clauses in the acquisition agreement could have helped the Buyer to address the loss of commercial value with the Seller. However had the Buyer performed sufficient pre-acquisition cyber diligence to identify the risks, the problem could have been mitigated earlier in the process.

Another area of attention is when a Buyer is looking to acquire a company that is developing strategic intellectual property (IP) and has high research and development (R&D) investments.

It is important to perform an early assessment of the Target to confirm that the IP information, for the products in development by the business, has not already been stolen through cyber breaches of the entity’s IT systems. In industries including financial technology, medical devices and aerospace, having a strong IP protection framework is paramount to defend from hostile organisations that range from competitors to governments. The business implications of compromised IP assets is that the value associated with them for the business to be acquired is simply not there. The Buyer will likely have lower revenues and investment returns, compared to competitors that are short circuiting the production cycle and reducing costs by not spending on developing the required R&D. Also, this could further result in the acquired Target losing market share post acquisition.

Before the signing and completion of the transaction a lot of thought should be given to post acquisition integration IT strategy, specifically referencing the cross-border data handling regulations in the jurisdiction where the business to be acquired is based. A few years ago, a UK financial institution acquired a bank in the emerging markets, the envisaged post acquisition synergies and cost savings related to outsourcing to another jurisdiction of the data and information back-office were unachievable due to local laws prohibiting the extradition of information related to private and corporate clients and their banking transactions. The lack of foresight resulted in long holding of non-performing business and when the business was eventually divested a decade later, it was sold for 10% of the original price paid for the business on acquisition.

There were some positives notes on the market as the covid-19 restrictions forced many companies to complete rapid digital transformation last year. The cost of maintaining regulation and compliance in this new environment resulted in financially well-performing businesses, operating in highly regulated industries (including healthcare insurance for example), to be put on sale by their owners. The anticipated costs of implementing and maintaining cyber and information security posture could be a price adjustment for the Buyer.

Chris Gould, Senior Advisor Cyber Security, Kalita Partners:
’The unexpected and often significant costs from unknown data or cyber security breaches of a recently acquired company can be extremely harmful from a reputational and a financial standpoint. It is therefore essential to have cybersecurity experts involved in the M&A transaction from the very beginning and continue through the diligence and post completion phases with ongoing threat and intelligence monitoring. ‘’

Next: The hot topic of ESG and value considerations in M&A

* * *
This article was written with the support of Alexander Pisemskiy, Head of Technology at Kalita Partners, and Chris Gould, Senior Advisor Cyber Security at Kalita Partners.
This series has been written by Kalita Partners with the contribution of Kamelia KantchevaJulien Artero, and Giulia Tesauro.