When cyber threatens M&A

Buying another company means taking on its digital operations, which can pose fresh and potentially deal-altering cybersecurity risks. These threats can jeopardize a deal’s anticipated value unless the acquirer identifies and addresses them early in the process.

Cyber issues can raise M&A costs and reduce value

Cyberattacks on companies can do more than violate laws and regulations. A business that is being acquired or generally exploring a sale typically wants a maximum return, and the acquirer wants to make sure its target is valued appropriately and is a sustainable asset. Insufficient investment in cybersecurity and digital infections can hamper or even kill those goals by reducing the value of the target’s assets, damaging its brand and derailing its growth prospects.

Many executives say data breaches, especially public ones, can lower a deal’s valuation. That was evident in Verizon’s acquisition of Yahoo, which closed in 2017. After Yahoo’s disclosure of two massive breaches in previous years, Verizon cut its offer by $350 million, or about 7% of the original price. In addition, the part of Yahoo that wasn’t sold to Verizon agreed to assume 50% liability from any future lawsuits related to the data breaches.

Risks across different sectors

This isn’t an issue for only tech companies. Cyber threats have spread to industries that weren’t targeted earlier in the digital age; restaurant chains, for example, can be attacked for the customer information—either credit card numbers or information from their loyalty programs.

Furthermore, the goal of a cyberattack can be more than a simple data grab. Consider a pharmaceutical company’s formula for a drug, a manufacturer’s product design or a distribution company’s transportation model. All of that is intellectual property that can be a crucial part of a deal’s value.

More anxiety and consequences

The risks for an acquirer in this environment are increasing. An acquisition that has existing cyber vulnerabilities can be used by threat actors to obtain access to the acquiring company as the integration progresses. The period between a deal’s announcement and closing is of particular exposure if vulnerabilities exist, given the heightened awareness and opportunity. That potential can raise anxiety among stakeholders—including investors, shareholders, customers, employees and suppliers—bringing further risk of disruption.

While cyber threats are more prevalent, it’s still rare for a breach or other issue to harm a transaction to the point that an acquirer completely walks away; delaying the transaction is a more common result. Yet delays, added costs and questions about a target’s value all have consequences for the deal process. To avoid such damage, acquirers need to understand the cyber risks of the target so they can limit surprises, model appropriately and ensure a reasonable transaction.

The road to reducing threats

Knowing the cyber risks in deals

Once a transaction comes into focus and an acquirer wants to determine the target’s real value, it needs to address two key areas. Security includes the history of cyber events, the controls in place and the assets at risk in a connected environment. Synergy involves determining how different the target’s systems and protocols are from the acquirer.

Read more

Taking action to limit cyber risks

The M&A process typically doesn’t allow much time to assess the complete state of cybersecurity at a target, and access to the target can be severely limited. A buyer must assess risks and vulnerabilities with imperfect information, and traditional protections can be ineffective.

Read more

Understanding cyber due diligence

Unlike other types, cyber due diligence isn’t as established and doesn’t analyze standardized data. The threat landscape can vary by industry or region, and frequent acquirers should have a flexible cyber deals playbook that allows them to identify and quantify issues that could affect a target’s value.

Read more

Mechanisms that mitigate cyber risks

To overcome a lack of transparency and visibility into key data, acquirers can use certain types of agreements in new ways while still protecting confidential details or proprietary information. They also can gather cyber intelligence beyond the typical deal process, including through information sharing.

Read more

Next steps for dealmakers

For a transaction to proceed with an understanding of the cyber risks, an acquirer must incorporate cyber issues into its assessment of a deal target. With this insight, the risks and cost can be factored into the deal model, negotiation and Day One planning. This includes understanding key cyber risk indicators, including:

  • The state of the target’s cybersecurity program, the compatibility and resiliency of its IT operations to cyber incidents, and which applications are vulnerable to attack—and by whom.
  • The amount and nature of data and information the target is responsible for, what is most sensitive and valuable and how it is protected.
  • If and how the target complies with government regulations and global privacy requirements, and if that compliance adequately guards against industry-specific or other cyber threats.
  • The costs of addressing the above concerns and the impact not only on deal negotiations and pricing but also the acquirer’s business, brand and reputation going forward.

Focusing on these areas during a deal will help minimize the chances of digital disruption that could create additional challenges—in the short or long term—and result in an acquirer regretting what once was a promising deal.

Contact us

Todson Page

Partner, Deals, PwC US

Quentin Orr

Principal, Cybersecurity and Privacy, PwC US

Follow us