While transparency is the goal, full visibility into each party’s operations is virtually impossible for companies engaged in a deal. The M&A process typically doesn’t allow much time to assess the complete state of cybersecurity at a target, and in some cases, such as an auction, access to the target can be severely limited. Absent that, there are steps an acquirer can take to reduce the potential financial costs from cyber issues.
On one recent deal, for example, target management represented that they complied with the Payment Card Industry Data Security Standard (PCI DSS) and provided supporting evidence. However, a review of the target in-store point-of-sale (POS) technology and their PCI documentation clearly showed both needed significant investment.
The POS technology was no longer supported by the vendor and couldn’t achieve compliance with the PCI DSS standard, which is required as of the first quarter of 2018. The impact of these identified issues required an additional investment of more than $2 million to upgrade the POS platform, its supporting technology and additional cybersecurity measures to maintain compliance.
Cyber due diligence is similar to that for the Foreign Corrupt Practices Act and anti-bribery and anti-corruption issues. In these situations, a buyer must assess risks and vulnerabilities with imperfect information, yet it fully inherits the actions – or inactions – of the target. As a result, there could be a need for immediate remediation after the deal closes, or even between signing and closing.
In addition, because cyber events can go unnoticed for months if not years, traditional protections like representations and warranties can be ineffective. The parties in a deal may believe in good faith that all’s well, unaware that a significant threat could lie beneath the surface and may not emerge until well after closing. After TripAdvisor acquired travel site Viator in 2014, its payment card service discovered unauthorized charges on customer credit cards. Ultimately, the company learned that hackers had stolen information on 1.4 million customers.