By Jake Olcott, VP of Government Affairs, BitSight
Data breaches are a constant in today’s headlines, but in recent years the risk has been front and centre of some of the most significant M&A deals. In 2017, Verizon discounted its acquisition price by $350 million when Yahoo belatedly disclosed that it experienced several massive breaches. And in November 2018, Marriott publicly disclosed that Starwood’s guest reservation database — containing hundreds of millions of personal records — had been compromised since 2014, prior to the Marriott acquisition. These incidents — and countless others — raise critical questions. How should Boards be thinking about cyber risk in the acquisition process? What steps should they take to address this risk prior to the acquisition?
First, Boards must understand that cyber risk can have a significant impact not only on the valuation of a deal, but on future legal liability associated with the transaction. From a Board’s perspective, the fallout from the Yahoo breach is significant — multiple securities class action lawsuits, D&O suits, and recommendations for Board removal. The Board’s responsibility in overseeing cyber risk managementhas never been more crucial.
How can organisations conduct proper diligence into a potential acquisition target? In some circumstances, there may be a public record of an organisation’s cybersecurity posture. Organisations may have disclosed security incidents or issues due to obligation to state or federal regulators. These disclosures may provide clues and insight for an acquiring organisation about the security posture of the target.
But public disclosure is unreliable. Organisations are disincentivised to disclose because it may negatively impact market value. And acquisition targets know that security issues can negatively impact their valuation. In fact, a 2016 survey by Brunswick found that half of all respondents said they would trim their valuation in situations where the target company had been breached – whether the breach was discovered before, during or after the merger.
Acquirers will often try to send their cybersecurity/infosecurity teams onsite to the target in order to gain deeper perspective on the risks and issues that may arise post-acquisition. This is important to properly account for any security “fixes” your organisation will have to implement in order to bring the target up to your standards. But this too comes with challenges. The tools that are available to an acquirer’s cyber team include questionnaires and penetration tests. Even if the target agrees, these methods are both time-consuming and reflect only a “snapshot in time” view — not necessarily historical performance.
How to address these challenges around market transparency? Investors are finding that security ratings can offer significant insight into a target’s cybersecurity posture and address the information asymmetry challenge. Similar to the way that a credit rating provides unique insight into the transactional history of a consumer, security ratings providers continuously collect data in an automated, non-intrusive fashion in order to generate a data-driven, objective rating of security performance. Broad and deep data sets are available that highlight security performance and best practices, giving unique insight into what has — or has not — been managed efficiently over time.
Armed with this data, information security teams can drill down deeper into the security details of an acquisition; valuation teams can consider more deeply some of the risks that were previously opaque.
It’s never been more important to consider cyber risk in your investments. The cyber risk that a given company presents has been an often-overlooked element during the M&A process, but it doesn’t need to be that way. Asking the right questions — and acquiring the right data — can go a long way towards reducing the financial risk in a transaction. Board members should not hesitate to raise this issue with management during the next acquisition meeting.