Every M&A Transaction Has Cybersecurity Risk
If you engage in M&A activity, you’ve seen the large pending deals—Verizon-Yahoo and AT&T-Time Warner—and know that regulatory review and price are generating headlines. However, these deals also show that executives, boards, bankers, and attorneys absolutely have to include cybersecurity as a key risk factor in any deal.
Let’s take a look at Verizon-Yahoo. Craig Silliman, general counsel at Verizon, jolted the financial world when he commented on the Yahoo data breach: “I think we have a reasonable basis to believe right now that the impact is material and we’re looking to Yahoo to demonstrate to us the full impact.” After that comment, Yahoo must show that the breach has not affected its value to preserve its price and keep the deal on track.
While a technology company like Yahoo—with its hundreds of millions of personal consumer e-mails and user data —or a content provider like Time Warner present well-known targets to hackers, every M&A transaction faces potential cybersecurity threats on multiple fronts.
First, as we’ve seen from Yahoo, a data breach at a company that is being acquired can lead to higher breakup fees, headaches in closing the transaction and even the possibility that the deal could be scrapped. There is also the problem of joining networks: if one company’s network has been compromised then you inherit the security risk of that company and risk introducing that same threat into your environment.
Second, hackers are focused on finding proprietary information about deals and financial data so they can reap a windfall in the market and they continue to target international law firms for inside information on M&A transactions. Hackers are very aware of the potential windfall to be made by obtaining nonpublic information before the market: in 2015, the SEC charged 32 people for stealing financial information from newswires before it became public and reaping more than $100 million in profits. While these were mainly simple stock trades, there is little doubt that companies involved in M&A transactions are being targeted for information that could lead to a windfall in the market.
But, it’s not just tech or Fortune 500 companies being targeted. We know from experience that businesses of every size and in every sector face cybersecurity threats: our consultants have supported global manufacturing, healthcare, and pharmaceutical companies through acquisitions by conducting threat assessments of the organizations these companies were acquiring.
If your company is looking at purchasing or merging with another company, but has not done a cybersecurity assessment, the company could be open to a potentially costly liability. Cyberattacks on private financial information, valuable IP, customers’ data or business-critical systems represent unseen liabilities that could lead to large investments for your company. That’s why as seasoned cybersecurity experts who understand how to communicate business risk to business leaders, we believe that a cybersecurity risk assessment should be standard for M&A in every industry.