How cyber attacks could derail the fragile M&A boom
IT WAS one of the darkest days for mergers and acquisitions (M&A) in Wall Street history. The collapse of five mega-deals earlier this month, for reasons ranging from a lack of board engagement to excessive regulatory interference, demonstrates the fragility of the current M&A boom. Already this year, 339 deals worth $428bn (£256bn) have collapsed – the highest number since 2008. And given these statistics, it’s worth reminding ourselves of the risks facing companies during deals.
Often overlooked is cyber security risk. While there have been few published instances of cyber attacks affecting M&A, a recent survey of dealmakers across the US, Europe and Asia revealed that 83 per cent think a cyber security breach occurring during a deal would be enough to derail it.
Dealmakers’ top concerns over the course of the M&A process include target firms suffering cyber attacks during discussions, the target being a victim of data or intellectual property theft by cyber attack, and evidence of a target not handling a past breach effectively (leading to reputational damage and fines). And yet despite a growing awareness of the threat posed by cyber attacks, 78 per cent of dealmakers say cyber security is not sufficiently dealt with as part of due diligence.
Indeed, cyber security in the M&A process is about more than just keeping sensitive data safe. Acquirers must assess whether their target carries an acceptable level of cyber risk in the same way they would analyse its financial position. To put it another way, you wouldn’t dream of buying a chemicals plant without assessing environmental risk. So why would you buy a data-driven business (and given the growth of Big Data, many businesses now are) without assessing its risks around data management and cyber security? It is simply not prudent.
Of course, the effect of a cyber incident on deal values works both ways. A business with a good track record and robust processes could be worth more than competitors, while a business with a bad track record could be worth less. And a thorough knowledge of a business’s cyber security is equally important during the post-acquisition integration phase. When you buy a company, you’re buying its data – and you could be buying its data security problems.
As investors, corporates and regulators wake up to cyber risk, more companies are being penalised and more executives are feeling pressure to treat it seriously. The chief executive of Target resigned in the aftermath of that company’s massive hacking incident in late 2013. In light of the almost daily revelations around new cyber incidents, buyers should be asking more penetrating questions than previously. Likewise, sellers will want to review the data they hold, how valuable it is, where it is used, and the risks posed by their own employees and suppliers to fully understand their vulnerabilities.
While Wall Street’s traumatic Tuesday this month may have dampened spirits in the M&A market, rumours of a new mega deal could easily swing sentiment back to positive. But buyers and sellers, and their professional advisers, need to consider the very real and very present dangers posed by cyber security, or there could be yet more dark days on the horizon.