Cybersecurity Issues Are M&A Deal Breakers

Even as one-time Internet giant Yahoo is swallowed in a $6.5 billion acquisition, merger and acquisitions (M&A) experts have warned that due-diligence audits of companies targeted for acquisition often reveal cybersecurity risks that compromise compliance and could threaten the merger and acquisition activities.

The warnings come in the wake of research, compiled for West Monroe Partners by research firm Mergermarket, that found 70 percent of acquisition targets had compliance issues and nearly half lacked comprehensive data security architectures.

Audits had revealed an abundance of security issues when companies were closely examined by potential acquirers: fully 37 percent of respondents said they had seen targets prove to be vulnerable to insider threats, with 27 percent lacking a data-security team and 17 percent having weak employee password policies.

A third of respondents said they had previously found inadequate mobile security at target companies, while 30 percent had found problems with local server storage and 20 percent had issues with vulnerable cloud storage.

There is no telling what cybersecurity issues emerged during Verizon's examination of Yahoo's internal systems in the lead-up to the clinching of the deal. However, the massive acquisition is likely to have surfaced more than a few outstanding issues that needed to be addressed.

Such findings can often have a material impact on the terms of an acquisition, with 20 percent of respondents saying they would use such findings to negotiate better terms including a lower purchase price.

“To protect themselves from security lapses, acquirers are turning to vigorous due diligence to examine the IT infrastructure of deal targets,” the report notes. “Diligence procedures are quickly expanding and improving – but many companies continue to identify shortcomings in the process.”

Reflecting this expanded focus, some 77 percent of survey respondents said that the importance of security of data at M&A targets had increased dramatically over the past two years, with the considerable costs of data breaches driving acquirers to take an increasingly proactive stance that can also result in deals being iced if a potential acquirer’s cybersecurity defences aren't up to scratch.

And that, the report's authors concluded, is an all too frequent finding once potential acquirers start digging deep into systems that have often struggled to get meaningful funding in the long term. Yet the presence of cybersecurity issues in and of its own is not a deal-killer; only one-third of respondents said they use the information gained in cybersecurity audits to decide whether to go ahead with the deal.

Rather, the key is to evaluate how much impact those issues will have on the business and how easily they can be remedied; some 47 percent of respondents said they used due-diligence findings to start planning for fixes to the problems they identified.

“It's realistic to expect most M&A targets to have a few cybersecurity issues,” the report's authors concluded, noting that a proper due-diligence exercise must examine “the full gamut of risks” including breach history, specific data threats, problems for integration, and the cost of potential fixes. “The key is identifying them and determining how easily they can be addressed.”

The cost of correcting existing problems after a merger was the most frequently-cited concern about cybersecurity issues, nominated by half of respondents. This compared with 43 percent who were concerned about potential complications for post-merger integration; 37 percent worried about frequent or recent data breaches; 37 percent worried about threats to customer data; and 33 percent worried about threats to business data.

Respondents flagged a lack of cybersecurity staff as a key issue during M&A deals, with 32 percent saying not enough qualified staff had been involved in the due-diligence process during recent deals. This had often increased the cost of getting a newly acquired company up to speed, particularly since acquirers inherited both the infrastructure and the risks and potential penalties that would be incurred from an unforeseen security vulnerability.

“The abundance of new data security tools has made it easier to have cutting-edge technology in place,” the report noted. “But the way in which tools are used and relationships are managed remains paramount when it comes to maintaining sound cybersecurity.”

CSO: