By John McCauley
When it comes to due diligence in merger & acquisition transactions, cybersecurity should be a primary consideration for companies in all industries. Because what you don’t know about your target company could hurt you later.
Today’s world is digitally connected, where companies rely on the internet, email, electronic storage and other technology to conduct business. Companies also amass huge amounts of data — on their products or services, on their customers and on their employees. This data makes them vulnerable to cyberattacks by hackers looking to profit from sensitive customer data or proprietary information, or by holding that information for ransom.
The FBI estimates that more than 4,000 ransomware attacks occur each day. It’s estimated the average cost of a data breach in 2020 will be more than $150 million.
A 2016 survey of M&A practitioners in the U.S. found 80 percent said cybersecurity issues have become highly important in the M&A due diligence process. Forty percent of acquirers said they discovered a cybersecurity problem after the deal went through.
When a company acquires another, it purchases everything — including its data and any risks associated with the data. That’s why it’s imperative that companies treat cybersecurity as its own risk category during M&A due diligence and incorporate high standards in this category.
High cost of data breaches
Cybersecurity attacks damage businesses, both in reputation and in dollars. Target reported the 2013 breach of more than 70 million customer records and 40 million credit and debit card records cost the company $252 million. When it factored in insurance reimbursement, Target lost $162 million due to the incident. Its sales fell by 46% year-over-year in the fourth quarter of 2013.
The Home Depot’s 2014 data breach came less than a year after Target’s – 56 million credit cards and separate files containing approximately 53 million emails were compromised as a result of malware on its self-checkout systems. The company was sued over the breach and agreed to pay $19.5 million to affected customers. It’s also paid more than $134 million to a consortium made up of Visa, Mastercard and numerous banks. Last year, it settled with dozens of banks, agreeing to pay $25 million for damages those banks suffered as a result of the 2014 attack, resulting in total costs of more than $179 million.
Neiman Marcus was in the process of being acquired when the company was the victim of cyberattacks in 2013. Both Neiman Marcus and its acquirer were unaware of the breach of data involving more than 350,000 credit and debit cards until after the acquisition closed. The company was sued, which Neiman Marcus sought to dismiss because it argued the plaintiffs lacked standing and failed to state a claim. The plaintiffs argued that because of the breach, they are at greater risk of fraudulent charges and identity theft.
The case made it to the 7th Circuit Court of Appeals, which ruled in 2015 that consumers do suffer harm when their credit card information is stolen, the first case to do so. Neiman Marcus agreed last year to pay $1.6 million to settle litigation resulting from the breach.
Cybersecurity breaches may also lower the value of a target company to outside buyers. This happened to Yahoo Inc. in 2017 when Verizon Inc. completed its $4.48 billion acquisition of Yahoo’s core internet business. Verizon paid $350 million less than originally planned, because Yahoo didn’t initially disclose it had suffered two data breaches in 2013 and 2014 when it first entered the deal with Verizon. Yahoo also recently was charged by the Securities and Exchange Commission with failing to disclose those breaches to investors, resulting in a $35 million settlement.
What to look for
The acquiring company needs to dig deeper beyond the general technology systems in place in the target company and determine how secure the target’s data is and if it’s been compromised. The acquiring company should be asking the target company many questions about its cybersecurity practices, including:
• What sensitive data does the target company collect?
• Where is that sensitive data stored?
• How does it protect its data?
• Who is responsible for monitoring the systems and ensuring the data is protected?
• Have there been prior cybersecurity incidents?
• How long did it take for the target company to discover it had been compromised after the incident?
• How will the data be recovered if it becomes compromised?
This list is not exhaustive, so it is important to work with your legal team to determine what specific questions to be asking of the target company.
Cybersecurity must be an integral part of M&A due diligence and it must begin as soon as practical in the transaction. Companies that plan on selling in upcoming years will need to be prepared to answer the tough questions that acquiring companies will ask regarding the security of data. Acquirers must know what to be cognizant of when examining the target company and its data. Work with your legal team to determine how best to prepare for an acquisition to minimize any cybersecurity-related risk.•
• John McCauley is a partner and certified information privacy professional at Bingham Greenebaum Doll LLP. Opinions expressed are those of the author.