The latest enterprise risk management news from around the world

The importance of cyber due diligence in mergers and acquisition risk management

The need for cyber due diligence in a merger or acquisition of a business is more relevant than ever before. Connor Lattimer, Associate Director at Control Risks, explores the subject, and offers some pointers for risk managers.

On July 9th 2019, the UK Information Commissioner’s Office (ICO) stated their intention to hand out a £99m fine to Marriot International for breaching European data protection law under the General Data Protection Regulation (GDPR). The fine is in relation to a breach that affected Starwood Hotels, one of Marriot International’s recent acquisitions and potentially impacted over 500 million of their guests. According to the ICO’s report “Marriot failed to undertake sufficient due diligence when it brought Starwood and should also have done more to secure its systems”. This failure highlights a need for parent companies and investment firms to improve their management of security and privacy risks across their acquisitions and subsidiaries or face more punitive enforcement action in the future.

Inevitably, mergers and acquisitions have always presented financial, legal and reputational risks and the Marriott case is one in a long line of examples of issues identified after a transaction that could have been dealt with through better due diligence. And in today’s global data economy, cyber due diligence needs to be an integral part of any business investment, just as much as standard due diligence practices are now standard procedure. Customer data is acknowledged by both business and regulators globally as a powerful commodity. So, it is essential for a successful negotiation and deal closure that the acquiring business understands the cyber risks it could be inheriting both before and after an investment is made.

Incorporating cyber into the standard practice of assessing reputational, financial and legal due diligence calculates all the potential regulatory risks to a deal- thereby also protecting the investor from paying a potentially overinflated price or risking an eye watering fine further down the line. Leveraging this information during the negotiation stage can help businesses determine the cost of remediating any weakness identified and potentially, if the costs to remediate are significant, use this in price negotiations. As Marriott and many other businesses who have learnt the hard way found – cyber due diligence makes both reputational and financial sense when acquiring a company today.

So how can cyber due diligence inform a negotiation and what steps need to be taken to get it right?

Learning from the past

Cyber due diligence should now be as integral as other types of due diligence that were once considered an advantageous but non-essential benefit in a deal transaction. For example, prior to the UK Bribery Act (UKBA) or Foreign Corrupt Practices Act (FCPA), anti-corruption due diligence was not systematically applied as part of the deal negotiation process. And those businesses who neglected to do so, did at their peril. Lessons learnt, anti-corruption is now a standard component of merger and acquisition due diligence checks. With GDPR and China’s Cyber Security law among other global data regulations now firmly in place and starting to flex their muscles, the same can be argued when it comes to undertaking cyber due diligence nowadays.

So, what is the barrier to undertaking cyber due diligence? The issue is that it is often misperceived as ‘someone else’s problem’, something that can be sorted post-transaction, or that it can be resolved under the radar from regulators or the public eye, hopefully avoiding any reputationally damaging disclosure. If only that were the case!

Avoiding falling foul of the regulators, any business investing in or acquiring another business must be able to demonstrate they’ve undertaken pre-transaction cyber due diligence to the regulators should a breach be subsequently discovered.

Positive lessons can be learnt from examples such as in 2016 when Verizon, a large American telecommunications company, leveraged findings from their cyber due diligence on two data breaches at Yahoo!. They negotiated a deal whereby Yahoo! would continue to be responsible for liabilities from shareholder lawsuits and federal investigations post acquisition.

Using cyber due diligence to inform negotiations

Cyber due diligence, if conducted as a pre-transaction precaution, can be an important negotiation tool. Careful pre-transaction due diligence allowed Verizon to take £281 million off the purchase price for Yahoo! for consideration of a massive data breach. Cyber due diligence, therefore, serves as a negotiation tool if acquisition decision-makers identify red flags from the due diligence process.

The findings of cyber due diligence can also be used to benchmark other acquisitions – this is helpful to companies who are rapidly expanding their portfolios. This data can be applied to other targets in a portfolio to identify areas of high risk. Standardising the output from cyber due diligence with the findings from traditional due diligence practices enables investors to have a holistic view of risks across an entire portfolio. The data can also be leveraged by deal teams to put the investor in the best position possible to negotiate the price and terms of an acquisition.

What should investors be doing?

Pre transaction cyber due diligence must be conducted by specialists experienced in cyber threat analysis. This could include assessing the external cyber threats and internal maturity of a target company and/or determining the costs of remediating identified security weaknesses. The outputs of these assessments should be shared with deal teams who can make calculated risks about the acquisition and ultimately drive the decision-making on investing. To continue managing the cyber risks to an investor’s portfolio, post-transaction due diligence serves as a valuable tool in maintaining a ‘health check’ on investments. It can also help identify issues which are likely to arise from the evolving regulatory landscape.

Currently, data protection regulations such as GDPR are driving change in the due diligence required by businesses during a transaction. But they are limited to regulatory disclosure once the breach has occurred, and only when it impacts personal information of EU citizens. As security and privacy regulation continues to evolve, we can expect to see greater emphasis on businesses needing to provide accurate information on the health of their systems as a proactive measure, rather than reactive following identification of a breach. Target companies should equally bear this in mind and be assessing their systems ahead of negotiations as part of their overall sales preparation process. Clarity on how any identified weaknesses could impact the acquisition or investment and what measures are being taken to fix them will also avoid stalling the transaction process and guarantee the best possible price for the business.

But of course, it goes without saying that businesses shouldn’t wait for a merger or acquisition process to undertake a review of their cyber security. As cyber security data regulations across the globe continue to emerge and strengthen, few businesses nowadays are immune to the potentially significant reputational and financial impact a data breach can incur. Undertaking a regular assessment, at a minimum annually, of your data procedures and cyber security measures, and identifying if and where cyber threat actors might be able to breach your systems should simply be par for the course for business leaders today. If it’s not a regular point of discussion in your management meetings, then let the experiences of the likes of Marriott be a lesson to you. M&A transaction or not, it’s time to get a grip of your cyber security.

The author

Connor Lattimer is Associate Director at Control Risks.

References



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.