Recent headlines about a multibillion-dollar deal shaken by revelations of a potentially record-setting data breach vividly underscore the need to address cybersecurity in due-diligence for mergers and acquisitions.
Hacking incidents or vulnerabilities can have a direct impact on the value of a company being acquired — and on the riskiness of a deal. To explore how cybersecurity and deals professionals are working together to guide companies through such challenges, PwC's editorial director for risk and regulatory matters, Chris Castelli, sat down with David Burg, Global and Co-US Advisory Cybersecurity and Privacy Leader, and Curt Moldenhauer, a partner in our Deals Practice and the leader of the US Acquisitions practice.
Chris: Paula Loop, who leads PwC’s Governance Insights Center, has written that cybersecurity in mergers and acquisitions (M&A) is one of the top issues keeping corporate directors up at night. Given the high frequency of press reports about major cybersecurity incidents, it’s no wonder that buyers are wary of acquiring companies tainted by such risks. Uncovering and understanding cyber risks, however, can be challenging. How well are boards and executives addressing these issues, in your experience?
David: This is an emerging area. It is clear to many in the private sector that cyber attacks are growing more sophisticated and that defenses are immature. It is also clear that compliance alone doesn’t ensure security, that the cost of cyber risk management is rising and that these are industry-wide risks. Hence, a number of highly sophisticated companies are working to integrate cybersecurity into their M&A due-diligence processes. Other organizations, however, could do a better job mitigating these risks given the high stakes involved. Corporate executives — including CEOs and CISOs — and deals professionals should increasingly focus their attention on how cyber risks might factor into decisions about acquisitions. These issues can impact a brand, competitive advantage and transaction value.
Curt: For deals professionals, cyber risks have only come onto the radar as a real threat in the last year or two. Cyber risks are still relatively new in this context. The challenge is not merely to include cybersecurity in deals due diligence but also to address these issues as early as possible. In other words, don’t wait until you have a deal. Allow consideration of these issues to inform and shape the strategy that will determine which deals are worth pursuing and which are best avoided. It’s important for boards to have meaningful discussions on these matters and to recognize that cyber risks apply to all industry sectors.
Chris: What are some examples of different ways cyber risks might affect the value of a deal?
Curt: You cannot effectively value an acquisition if you do not understand its assets and liabilities. Fortunately, cyber risk fits nicely within a two-part framework traditionally used assess potential deals. First, there’s a value angle — are you really, truly valuing a company accurately? One could imagine a range of possible scenarios where a valuation is impacted by the discovery of cyber risks. An assessment might reveal, for instance, that an acquisition target has no history of breaches but that its cyber-risk management is poor and will require investment to improve. If the assessment also uncovered problems that might impact brand or reputational issues, the level of concern would likely escalate. Further, if it is discovered that a company’s intellectual property was hacked without anyone knowing, that sort of revelation could jeopardize a deal.
David: Absent an evaluation of a company’s cyber risk, there is no way to know if the balance sheet is accurate. If you are pursuing an acquisition — say it’s a $1 billion valuation — because you value a company’s intellectual property, and then you discover that foreign hackers infiltrated the company’s networks and stole trade secrets, the assets may be highly overvalued. This type of knowledge, if indeed understood, could dissuade a buyer from doing a deal.
Curt: Right. Second, there’s a risk angle — are you walking into a huge problem? If attackers are lurking in the system, you may be buying a huge, as yet undiscovered liability.
David: We advise directors of companies engaged in an acquisition to always ask for details of breach information from the target company. Data breaches can raise questions about whether a company’s networks are or were compromised by hackers and whether the bad guys can ever be ejected, as well as inform integration plans. Buyers might be dissuaded from acquiring companies known to be insecure. It is also important to examine whether companies made cybersecurity a priority when they adopted new technologies over the years or whether such IT changes put critical assets at risk.
Curt: Buyers should also aim to assess the adequacy and maturity of their acquisition target’s cybersecurity controls. Cybersecurity is also important on the sell side, by the way. Depending on the transaction type — for instance, a carve-out, spin-off or divestiture — there are various cyber risks in the deal life-cycle through the conclusion of transition services agreements.
Chris: Are some acquisitions best avoided due to known cyber risks?
David: Certainly. Assessing these risks, however, requires asking sophisticated questions. By the way, the answers to those questions don’t always amount to bad news. If a buyer determines, for instance, that a company is proactively working with the FBI or another international law enforcement agency to ensure its assets are better protected, that could be a positive finding about risk management. The general lack of transparency surrounding cybersecurity incidents, however, can complicate the M&A due-diligence process.
Chris: Is there a role for government in terms of improving that transparency?
David: In the United States, it might be helpful to buyers assessing potential deals if the U.S. government were able to provide more public information about which sectors or even which specific companies were or are being targeted by acts of cyber espionage. This could help buyers understand which deals might have an increased risk of involving hacked intellectual property or other negative implications of hacking activity.
Chris: What if a company being acquired does not realize it was hacked?
David: That is not uncommon. On average, seven months pass before a breach is detected by in-house security personnel. Ironically, sometimes the risk comes from third parties when a company outsources the protection of its networks and data in the interest of improving cybersecurity. Relying on outside suppliers, vendors and contractors can create security gaps. Third-party cybersecurity risks recently topped an American Bar Association list of concerns to address in M&A due diligence. The ABA guidance stressed the need to review the text of any agreements that support the computing, processing, payments, or other technology work performed by third parties. The guidance also highlighted the importance of knowing about and understanding each suspected network intrusion.
Chris: Determining if a potential asset’s IT infrastructure has been compromised by an advanced, persistent cyber threat is no simple task — but PwC has a long history of finding cyber threat activity that was previously unknown to clients. How is PwC leveraging its expertise not only in deals and cybersecurity, but also forensics, to provide integrated M&A due-diligence services to clients?
David: By combining our experience, threat intelligence, proprietary technologies, and knowledge of industries and sectors, PwC can help clients identify the indications that a target has been compromised by today’s most advanced adversaries. We have applied lessons from real forensic investigations of cyber incidents conducted all over the world to create an innovative way to identify breach indicators or evidence of hacking without requiring the installation of software to conduct the review. This type of in-depth study, which takes about four to six weeks, results in a cyber threat assessment report. The report identifies likely threat actors in the potential asset’s environment; impacted systems or data; business risk; and possible motives of the threat actors. It also includes identified evidence or breach indicators as well as recommendations on how to manage any active threat in the environment. These in-depth assessments are designed to support decisions on high-risk acquisitions. For other types of deals, lighter assessments can be developed more rapidly, tailored to the specifics of the deal.
Chris: What sets this service apart in the marketplace?
David: Several factors: PwC’s partners and staff who are former national security officials; our access to industry, sector, and regulatory subject matter specialists for contextual input; our professionals with advanced degrees who maintain certifications such as Certified Information System Security Professionals (CISSP), Encase Certified Examiners (EnCE); our use of network threat detection, system threat detection, and data analysis solutions fueled by threat intelligence; and operations from six PwC forensic labs leveraging 1,000+ professionals in the U.S. and 50 forensic labs with 3,000+ professionals overseas.
Curt: It’s just the sort of tool that can help buyers pursuing deals proactively address cyber risks in the due-diligence process. Building a more complete picture of the M&A target allows for a more informed, financially sound decision.
Deals Research and Insights Leader, PwC US