October 13, 2015

Cyber Risk: Mergers and Acquisitions Will Never Be the Same

October is National Cyber Security Awareness Month – and a good time to put the spotlight on the role that cyber risk plays in mergers and acquisitions (M&A).

Last year, a survey of over 200 corporate and other deal-makers around the world showed that cyber risk is turning out to be a major threat to M&A deals.

The survey, by the law firm Freshfields Bruckhaus Deringer, showed that 90% of respondents believed cyber breaches would result in a reduction in deal value while 83% believed a deal could be abandoned if cyber security breaches were identified.

While these numbers reveal a growing recognition of the cyber threat, the survey also showed that in many cases the threat is not being addressed – 78% of respondents said “cyber security is not analyzed in great depth or specifically quantified” as part of the M&A due diligence process.

In today’s connected world, cyber risk of a target company must become part of the overall M&A risk evaluation process.

“Without a true understanding of the security posture of a target company, the risk of cyber security issues cannot be reflected in the price of the acquisition, and M&A teams cannot fully trust in the proper return on their investments,” wrote blogger Mike McCormack in a securestate.com story.

Here are guidelines.

• Evaluate cyber risk just like any risk impacting the value of a target. “You need to find out if the target carries an acceptable level of cyber risk,” wrote cyber security executive Pamela Gupta in a linkedin.com blog. Results of the Freshfields survey showed a “worrying” level of complacency towards the assessment of cyber risks during M&A deals.
• Create a Security Team within the Mergers & Acquisitions Team. Remember, cyber security is a key business risk, and not just an IT department issue.
• During the entire process, follow comprehensive security protocols to protect confidentiality. Encryption, for example, should be used when information is circulated by email. Standard policies and procedures such as document management and secure document disposal should also be in place in workplaces.
• Control access to confidential information by knowing all of the internal and external Mergers & Acquisitions Team members.
• Understand the financial implications of cyber risk and cost of cyber security for both the ‘buy’ and ‘sell’ side. Chris Forsyth of Freshfields explained: “A business with a good track record and robust processes could be worth more than competitors while a business with a bad track record could be worth less.” Also, security risk can be used as a point of negotiation in the sale process.
• Factor in industry specific security requirements faced by the target company, said McCormack at securestate.com. For example, healthcare companies must comply with Health Insurance Portability and Accountability Act (HIPAA) regulations. A company that handles credit card information falls under the Payment Card Industry Data Security Standard (PCI-DSS).
• Put a data breach response plan in place so everyone knows what to do if a breach occurs.

An organization that stockpiles its old hard drives has an increased risk of a data breach. Clean out storage rooms now – and schedule secure destruction of hard drives.