Buying another company means taking on its digital operations, which can pose fresh and potentially deal-altering cybersecurity risks. These threats can jeopardize a deal’s anticipated value unless the acquirer identifies and addresses them early in the process.
Cyberattacks on companies can do more than violate laws and regulations. A business that is being acquired or generally exploring a sale typically wants a maximum return, and the acquirer wants to make sure its target is valued appropriately and is a sustainable asset. Insufficient investment in cybersecurity and digital infections can hamper or even kill those goals by reducing the value of the target’s assets, damaging its brand and derailing its growth prospects.
Many executives say data breaches, especially public ones, can lower a deal’s valuation. That was evident in Verizon’s acquisition of Yahoo, which closed in 2017. After Yahoo’s disclosure of two massive breaches in previous years, Verizon cut its offer by $350 million, or about 7% of the original price. In addition, the part of Yahoo that wasn’t sold to Verizon agreed to assume 50% liability from any future lawsuits related to the data breaches.
This isn’t an issue for only tech companies. Cyber threats have spread to industries that weren’t targeted earlier in the digital age; restaurant chains, for example, can be attacked for the customer information—either credit card numbers or information from their loyalty programs.
Furthermore, the goal of a cyberattack can be more than a simple data grab. Consider a pharmaceutical company’s formula for a drug, a manufacturer’s product design or a distribution company’s transportation model. All of that is intellectual property that can be a crucial part of a deal’s value.
The risks for an acquirer in this environment are increasing. An acquisition that has existing cyber vulnerabilities can be used by threat actors to obtain access to the acquiring company as the integration progresses. The period between a deal’s announcement and closing is of particular exposure if vulnerabilities exist, given the heightened awareness and opportunity. That potential can raise anxiety among stakeholders—including investors, shareholders, customers, employees and suppliers—bringing further risk of disruption.
While cyber threats are more prevalent, it’s still rare for a breach or other issue to harm a transaction to the point that an acquirer completely walks away; delaying the transaction is a more common result. Yet delays, added costs and questions about a target’s value all have consequences for the deal process. To avoid such damage, acquirers need to understand the cyber risks of the target so they can limit surprises, model appropriately and ensure a reasonable transaction.
For a transaction to proceed with an understanding of the cyber risks, an acquirer must incorporate cyber issues into its assessment of a deal target. With this insight, the risks and cost can be factored into the deal model, negotiation and Day One planning. This includes understanding key cyber risk indicators, including:
Focusing on these areas during a deal will help minimize the chances of digital disruption that could create additional challenges—in the short or long term—and result in an acquirer regretting what once was a promising deal.