It’s time to better identify the cost of cybersecurity risks in M&A deals

Over the past decade, a number of high-profile cybersecurity issues have arisen during mega-M&A deals, heightening concerns among corporate executives.

In 2017, Yahoo disclosed three data breaches during its negotiation to sell its internet business to Verizon [Disclosure: Verizon Media is TechCrunch’s parent company]. As a result of the disclosures, Verizon subsequently reduced its purchase price by $350 million, approximately 7% of the purchase price, with the sellers assuming 50% of any future liability arising from the data breaches.

While the consequences of cyber threats were soundly felt by Yahoo’s shareholders and widely covered in the news, it was an extraordinary event that raised eyebrows among M&A practitioners but did not fundamentally transform standard M&A practices. However, given the high potential cost from cyber threats and the high frequency of incidents, acquirers need to find more comprehensive and expedient methods to address these risks.

Today, as conversations accelerate around cybersecurity matters during an M&A process, corporate executives and M&A professionals will point to improved processes and outsourced services for identifying and preventing security issues. Despite the heightened awareness among financial executives and a greater range of outsourced solutions for addressing cybersecurity threats, acquirers continue to report increasing numbers of cybersecurity incidents at acquired targets, often after the target has already been acquired. Despite this, acquirers continue to focus due diligence activities on finance, legal, sales and operations and typically see cybersecurity as an ancillary area.

While past or potential cyber threats are no longer ignored in the due diligence process, the fact that data breaches are still increasing and can cause negative financial impact that will be felt long after the deal has closed highlights a greater need for acquirers to continue to improve their approach and address cyber threats.

The current lack of focus on cybersecurity issues can be partially attributed to the dynamics of the M&A market. Most middle-market companies (which constitute the nominal majority of M&A transactions) will typically be sold in an auction process where an investment bank is engaged by the seller to maximize value by fostering competitive dynamics between interested bidders. In order to increase competitiveness, bankers will typically drive a deal process forward as quickly as possible. Under tight time constraints, buyers are forced to prioritize their due diligence activities or risk falling behind in a deal process.

A typical deal process for a private company will move as follows:

  • Selling company’s investment bankers contact potential buyers, providing a confidential information memorandum (CIM), which contains summary information on a company’s history, operations and historical and projected financial performance. Potential buyers are typically given three to six weeks to review materials before deciding to move forward. Unless there is a previously known cybersecurity issue, a CIM will typically not address potential or current cybersecurity issues.
  • After the initial review period, indications of interest (IOI) are due from all interested bidders, who will be asked to indicate valuation and deal structure (cash, stock, etc.).
  • After IOIs have been submitted, the investment banker will work with the sellers to select top bidders. Key criteria that are evaluated include valuation, as well as other considerations such as timing, certainty of closing and credibility of buyer to complete the transaction.
  • Bidders selected to move forward are typically given four to six weeks after the IOI date to drill deeper into key diligence issues, review information in the seller’s data room, conduct a management presentation or Q&A with the target’s management and perform site visits. This is the first stage when cybersecurity issues could be most efficiently addressed.
  • Letter of Intent is due, when bidders reaffirm valuation and propose exclusivity periods wherein one bidder is selected on an exclusive basis to complete their due diligence and close the deal.
  • Once an LOI is signed, bidders typically have 30-60 days to complete the negotiation of definitive agreements that will outline in detail all terms of an acquisition. At this stage, acquirers have another opportunity to address cybersecurity issues, often using third-party resources, with the benefit of investing significant expenses with the greater certainty provided by the exclusivity period. The degree to which third party resources are directed toward cybersecurity relative to other priorities varies greatly, but generally speaking, cybersecurity is not a high-priority item.
  • Closing occurs concurrent with signing definitive agreements, or in other cases, closing occurs after signing often due to regulatory approvals. In either case, once a deal is signed and all key terms are determined buyers can no longer unilaterally back out of a deal.

In such a process, acquirers must balance internal resources to thoroughly evaluate a target with moving quickly enough to remain competitive. At the same time, the primary decision makers in an M&A transaction will tend to come from finance, legal, strategy or operating backgrounds and rarely will have meaningful IT or cybersecurity experience. With limited time and little background in cybersecurity, M&A teams tend to focus on more urgent transactional areas of the deal process, including negotiating key business terms, business and market trend analysis, accounting, debt financing and internal approvals. With only 2-3 months to evaluate a transaction before signing, cybersecurity typically only receives a limited amount of focus.

When cybersecurity issues are evaluated, they are heavily reliant on disclosures from the seller regarding past issues and internal controls that are in place. Of course, sellers cannot disclose what they do not know, and most organizations are ignorant of attackers who may already be in their networks or significant vulnerabilities that are unknown to them. Unfortunately, this assessment is a one-way conversation that is reliant on truthful and comprehensive disclosures from sellers, lending new meaning to the phrase caveat emptor. For this reason, it’s no coincidence that a recent poll of IT professionals by Forescout showed that 65% of respondents expressed buyer’s remorse due to cybersecurity issues. Only 36% of those polled felt that they had adequate time to evaluate cybersecurity threats.

While most M&A processes do not typically prioritize cybersecurity, M&A processes will often focus squarely on cybersecurity issues when known issues occur during or prior to an M&A process. In the case of Verizon’s acquisition of Yahoo, the disclosure of three major data breaches led to a significant reduction of purchase price, as well as changes in key terms, including stipulations that the seller would bear half the costs of any future liabilities arising from these data breaches. In April 2019, Verizon and the portion of Yahoo that was not acquired would end up splitting a $117 million settlement for the data breach. In a more recent example, Spirit AeroSystems’ acquisition of Asco has been pending since 2018 with a delayed closing largely due to a ransomware attack on Asco. In June 2019, Asco experienced a ransomware attack that forced temporary factory closures, ultimately causing a 25% purchase price reduction of $150 million from the original $604 million.

In both the case of Spirit and Verizon’s acquisitions, cybersecurity issues were largely addressed through valuation and deal structure, which limits financial losses, but does little to prevent future issues for a buyer, including loss of confidence among customers and investors. Similar to Spirit and Verizon’s acquisitions, acquirers will typically utilize structural elements of a deal to limit the economic losses. Various mechanisms and structures — including representations, warranties, indemnifications and asset purchases — can be utilized to effectively transfer the direct economic liabilities of an identifiable cybersecurity issue. However, they cannot compensate for the greater loss that would occur from reputational risk or loss of important trade secrets.

What the Spirit and Verizon examples demonstrate is that there is quantifiable value associated with cybersecurity risk. Acquirers who do not actively assess their M&A targets are potentially introducing a risk into their transaction without a mitigation. Given a limited timeline and the inherently opaque nature of a target’s cybersecurity issues, acquirers would benefit greatly from outsourced solutions that would require no reliance upon, or input from a target.

The scope of such an assessment ideally uncovers previously unknown deficiencies in the target’s security and exposure of business systems and key assets, including data and company secrets or intellectual property. Without such knowledge, acquirers go into deals partially blinded. Of course, industry best practice is to reduce risk. Adding this measure of cybersecurity assessment is an excellent practice today and likely a mandatory requirement in the future.