Data breaches are a
constant in today’s headlines, with this risk front and center for some of the
most significant mergers and acquisitions (M&A) deals in recent years.
For example, Verizon Communications discounted its acquisition price by $350 million in 2017 when Yahoo! Belatedly disclosed that it experienced several massive breaches. In November, Marriott International publicly disclosed that Starwood’s guest reservation database—containing hundreds of millions of personal records—had been compromised since 2014, prior to the Marriott acquisition.
These and countless
other incidents raise critical questions: How should boards be thinking about
cyber risk in the acquisition process?
First, boards must
understand that cyber risk can have a significant impact not only on the
valuation of a deal but also on future legal liability associated with the
transaction. From a board’s perspective, the fallout from the Yahoo breach is
significant—multiple securities class action lawsuits, directors and officers
liability insurance (D&O) suits, and recommendations for removal of directors from the board. The
board’s responsibility in overseeing cyber risk management has never been more
What steps should Boards take to address
this risk prior to the acquisition? Organizations
need to conduct due diligence for a potential acquisition target. In some circumstances, there may be a public record of an
organization’s cybersecurity posture. Organizations may have disclosed security
incidents or issues due to an obligation to state or federal regulators, and
these disclosures may provide insight for an acquiring organization.
But public disclosure is unreliable. Organizations are disincentivized to disclose because it may negatively impact market value, and acquisition targets know that security issues can negatively impact their valuation. In fact, a 2016 survey by Brunswick found that half of all respondents said they would “trim their valuation in situations where the target company had been breached – whether the breach was discovered before, during or after the merger.”
Acquirers will often
try to send their cybersecurity and other information security teams onsite to
gain a deeper perspective on the risks and issues that may arise
post-acquisition. This is important to properly account for any security
“fixes” your organization will have to implement to bring the target up to your
standards. But this, too, comes with challenges. The tools available to an acquirer’s
cybersecurity team include questionnaires and penetration tests, but even if
the target agrees, these methods are both time-consuming and reflect only a
“snapshot in time” view—not necessarily historical performance.
So, how can your organization address these challenges around market transparency? Investors are finding that security ratings can offer significant insight into a target’s cybersecurity posture and address the information asymmetry challenge. Similar to how a credit rating provides unique insight into the transactional history of a consumer, security ratings providers continuously collect data in an automated, non-intrusive fashion to generate a data-driven, objective rating of security performance. Broad and deep data sets are available that highlight security performance and best practices, giving unique insight into what has—or has not—been managed efficiently over time. Armed with this data, information security teams can drill deeper into the security details of an acquisition; valuation teams can consider more deeply some of the risks that were opaque.
It’s never been more
important to consider cyber risk in your investments. The cyber risk that a
given company presents has been an often-overlooked element during the M&A
process, but it doesn’t need to be that way. Asking the right questions—and acquiring
the right data—can go a long way toward reducing financial risk in a
transaction. Board members should not hesitate to raise this issue with
management during the next acquisition meeting.
Learn more about using security ratings for M&A at BitSight for M&A.