Assessing Cybersecurity in Mergers and Acquisitions
I met Karl for the first time during a trail running competition in Zermatt where we shared together a large portion of the race. I remember waking up very early and joining the start under a heavy rain. Not really the kind of weather you want to experience mid-August. I exchanged a few words with Karl on the starting line, and here we go. After two hours into the race, the sky became clearer and within another hour, the weather turned completely sunny – we finally could enjoy the view on the Matterhorn which changed size and aspect along the trail. Karl and I were running at the same pace and 50 km were long enough to give us the time to discuss our respective professional lives, among others. And then we regularly met each other at several trail competitions over the next years.
One day I bumped into Karl at a networking event. Karl had a very successful track record in his previous corporate functions throughout his career, mainly on the business side. He recently turned entrepreneur and has just concluded what he believed was the deal of a lifetime: Karl has acquired a mid-sized company with a huge development potential.
Karl was almost clueless about information technology, except the usual stuff. He however showed genuine interest into cybersecurity now that this company was his. What he read in the news was alarming. He started asking himself: Can this happen to my company? If yes, what would be the consequences?
And then I asked him the question: “By the way, did someone assess your IT and its security during the due diligence, to establish a valuation, before you purchased your company?” Karl was not sure this was the case. In fact, he was sure this was not the case. So, I proposed him to conduct a holistic audit of its IT infrastructure to ensure he would start managing on a clean basis and not wait for the next incident that could potentially be fatal to his investment. Results however proved mixed, if not concerning.
* * *
Assessing cybersecurity risk during the due diligence phase of an M&A deal is paramount, given the importance IT takes in our businesses. Imagine you have identified, say, an airline that looks incredible, has a brilliant track record and has a huge potential. Looks great. But would you invest in an airline that offers best-in-class service, the most comfortable seats and the best flight entertainment systems to its passengers, but has not sent its engines to regular service during years? And if yes, how much would you invest?
Or do you buy a used car without looking inside and seating in the driver’s seat, without opening the capot, ensuring that the engine in the car is the one you expect and is in a good shape (car dealers, by the way, can do that for you)?
So, let’s have a closer look at the five following points why you should holistically assess information systems and cybersecurity risks during due diligence, before you acquire a company.
“Would you invest in an airline that offers best-in-class service, the most comfortable seats and the best flight entertainment systems to its passengers, but has not sent its engines to regular service during years? And if yes, how much would you invest?”
The results of a risk assessment will give you a smell of the cybersecurity culture in the company and also of its IT in a broader sense. If IT is poorly managed, under-invested and on top of that comes with a lot of security holes that make information systems almost unreliable, this is a bad omen about current management’s relationship towards IT. You will need to take this point into account before you invest in this company because this means that once in the driver’s seat you will have to devote a significant energy to subsequently shift the company culture, which might take months, or years.
This assessment will tip you off on the financial investment the company has to make to rebuild its IT and/or reinforce its security. With the risk assessment should come a rough evaluation of how much, if you acquire the company, you will need to invest in the near future to reach an acceptable level of risk for the information systems. Depending on the complexity of the systems, the quantity of assets, the size of the company and the magnitude of the vulnerabilities, this amount could reach hundreds of thousands USD, if not millions.
Not a cybersecurity risk as you might imagine, but the risk assessment could also help you find hidden skeletons in the closets of the target company. For instance, are all licenses used for IT assets paid up to date? Given the price of some licenses, it is tempting to delay their payment until better times arrive, especially if the company is currently in a bad financial shape, or if the owners know they will soon sell the company. Trust me, this issue is not unusual and should not be underestimated, not only from a direct financial cost – once the company is yours, you pay for the unpaid licenses –, but also from a regulatory/compliance point of view.
Another hidden skeleton is obsolete IT equipment, which will require serious investments very soon after you concluded the deal. How old is the hardware? Which hardware should be replaced? Are your servers still under maintenance? Again – ageing systems not maintained anymore are a serious risk that could affect the availability of your IT.
Remember: the audit is a risk assessment. Non-compliance with software licensing or systems (un)availability are serious risks which are an integral part of the cybersecurity risk a company faces.
The audit will assess qualitatively and quantitatively a holistic cybersecurity risk that the target company faces. Then you will have to balance the amount of the risk against the potential cash flows of the company for decision-making: given the risk, is the company worth the investment? Surely this is a potential risk, there is no certainty that it will materialize tomorrow or at all, and with its highest impact. But what if it does? Remember Murphy’s law…
As the picture you receive from the risk assessment gives you a clear overview of where the organization stands here and now in terms of IT and cybersecurity, it should also come with recommendations to kill two birds with one stone and provide you with a roadmap that will explain clearly what should be undertaken operationally, tactically and strategically to decrease your cybersecurity risk and improve your IT infrastructure. So, when you are ready to start operating your newly acquired business, you already know where you are heading to in terms of information systems.
“Leverage the risk assessment to more accurately determine the target company’s valuation and possibly negotiate a lower acquisition price”
In the buyer’s shoes
Now that you have clearer picture thanks to this assessment, how can you leverage it?
Leverage number one
With all those elements in hand – risk level, plus required investment to reduce the risk, plus required investment to clean the (potential) skeletons –, leverage the risk assessment to more accurately determine the target company’s valuation and possibly negotiate a lower acquisition price. A notable example is the acquisition of Yahoo Inc. by Verizon in 2017. Verizon was able to lower its original offer by USD 350 MM (a significant 7.25% decrease) after Yahoo disclosed in 2016 that it was affected by two massive data breaches. In other words, Yahoo’s data breach was a serious value destroyer. Protecting databases through proper encryption mechanisms would certainly have resulted in an investment of less than USD 350 MM.
The guy on the right tries to negotiate a lower price for his possible acquisition
Leverage number two
Imagine yourself after acquisition. One day, information systems fall victim to a ransomware that paralyses the entire activity of the company, but the previous shareholder has never validated any budget for backup systems (because this is costly…). Fact is that the previous shareholders screwed you (wittingly or unwittingly). Or suppose that a data breach occurs because of poor database security design (because time-to-market prevails…) and thousands of records are leaked that affect the privacy of your customers: you will now face serious legal and compliance costs.
So, leverage the risk assessment to insert a clause in your contract making the seller liable for any major cybersecurity incident (to be defined) that occurs in the coming months or years (period to be determined). Protect yourself from a legal standpoint so you can ask for compensation, even if your company remains (alas) legally responsible. In October 2013, the Neiman Marcus Group was sold to Ares Management and the Canada Pension Plan Investment Board. However, Neiman Marcus was the victim of a data breach earlier the same year, which was disclosed in January 2014 only. As a result, their new owners agreed to a settlement of USD 1.5 MM in 2019.
In the seller’s shoes
Now put yourself in the seller’s shoes. Undoubtedly, an unsatisfactory outcome of such a risk assessment during due diligence can seriously compromise the likelihood of selling your business at the desired price, or simply result in a no-go for the potential acquirer. So be sure you do not overlook cybersecurity, and not only for this reason. As you know, opportunities most likely do not come twice.
* * *
Information technology is as vital to a business as water to fishes: they do not understand how important it is until they are pulled out of the water. Then it is too late. So, if you are a buyer, ensure you assess cybersecurity before you or your corporation decides to acquire a new company. The benefits-cost ratio is invaluable. And ensure that such an assessment is properly carried out by professionals with proper expertise and holistic approach, not just a “by-the-way” comment on the bottom of a page. If you are a seller, well, tighten your IT and its security long before you decide to sell, and not just for this reason, but to create continuous value in your business.