During a merger or aquisition, due diligence is a critical stage in understanding the risks and liabilities the target company or new entity may face. Lawyers, accountants, investment bankers and other experts review contracts, financials and countless other documents to ensure they know all the details about the companies involved so there aren’t any surprises once the deal closes. But due diligence is taking on new characteristics as the internet takes on a prominent role for most businesses.
Cyber due diligence is where experts analyze past information, security lapses and other areas of technology risk to identify costs or liabilities they present. Without this type of research in place, deals can be improperly valued because of upgrade expenses or extensive legal fees for victims of hacks or data breaches.
But despite this, businesses aren’t doing enough to account for these issues. According to a recent survey conducted by the London-based law firm Freshfields Bruckhaus Deringer, “78 percent of global respondents believe cyber security is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.” The study further showed that 90 percent of respondents said these breaches could reduce the deal’s value.
One firm that can certainly speak to the value of cyber due diligence is Verizon, something they experienced during their acquisition of Yahoo in 2016.
Once worth over $100 billion at the height of the dot-com boom, the well-known search engine had suffered a series of major missteps, causing it to lose more than 90 percent of its value when Verizon came along to buy them out in 2016. The deal was valued at nearly $5 billion, certainly still a decent amount, but it would get worse. As it turned out, Yahoo had been a victim of any number of cyber attacks in recent years. Some of them had been disclosed publicly, but not all of them. According to the Journal of the American Bar Association, “In late 2014, senior officers and legal staff of Yahoo!, Inc. learned that unauthorized access to its computer network had been gained by what Yahoo! identified as a ‘state-sponsored actor.’ Yahoo! did not, at that point in time, publicly disclose the incident.”
This information didn’t become known by Yahoo’s board until after Verizon had made their buyout offer almost two years later. When it did, and they realized that data for approximately 500 million accounts had been compromised, Yahoo and Verizon updated the terms of the deal. It included reducing the purchase price by $350 million (about a 7 percent cut), Yahoo would be responsible for liabilities from any related lawsuits and Yahoo and Verizon would split the liabilities from any government investigations 50/50. This was good news for Verizon stock, which closed the day up almost 30 cents/share.
With cyber crime on the rise, reaching $600 billion annually according to McAfee, it’s important for businesses to understand their risks and exposures. One of the ways they’re increasingly doing this is with cyber due diligence. According to PwC, acquirers should assess target companies on six main areas:
- Cybersecurity program
- Third-party security risk management
- Security controls for protection and detection
- Security and privacy controls in products and services
- Regulated and sensitive data security controls
- Data privacy program
As recent news indicates, no company is immune to data breaches and other cyber attacks. Cyber due diligence can avert significant legal and financial issues down the road while helping get the best value for the purchase.