M&A risks: check cyber issues before you acquire

When buying a car, it is traditional to look under the bonnet. Buyers look for signs of any irregularities that could cause trouble in the future; they also seek to assess the health of what they are buying. Yet when one company acquires another, companies haven’t always taken cyber-security seriously enough – a situation that needs to change.

In its first annual report published on 3 October 2017, the National Cyber Security Centre revealed that more than 1,000 incidents (over half of which were classed as ‘significant’) were reported to it in its first year of operations.

Recent high profile events including the ransomware attacks that affected the NHS and the ongoing publicity around possible Russian intervention in the US elections have highlighted that almost anyone – from large corporations and public sector bodies to private individuals – can be a target.

From a mergers and acquisitions (M&A) perspective, it is increasingly difficult to ignore the business and reputational risks associated with cyber security. Corporate acquirers, and private equity, will seek to avoid the large (and potentially catastrophic) costs in the event of a breach.

A hole in the wallet

The risk posed by cyber security to M&A deals is increasingly visible - $400m was knocked off the value of Yahoo in the course of its acquisition by Verizon that completed in June 2017 due to two massive historical data breaches. According to a report by MergerMarket for West Monroe Partners (Testing The Defenses – Cybersecurity Due Diligence in M&A - 2016), 23% of senior M&A executives at corporates and private equity firms reported that they had walked away from a deal due to data security issues at the target.

Given this background, it should be expected that the potential impact of cyber security breaches will increasingly come under the spotlight and that the perceived cyber risk will increasingly be priced into PE and corporate transactions (or even cause potential deals to fall away).

In a report by Cyence for Lloyds of London (Counting the cost: Cyber exposure decoded – July 2017), which estimated the scale of economic damage that a large scale cyberattack could cause. The report estimated that there is an insurance gap of up to $45bn of uninsured costs in the event of a massive cyberattack under plausible scenarios.

Cyber security can no longer be ignored

Cyber risks can no longer be considered peripheral irritations for an IT department to sort out – a business’s approach to cyber risk may have a critical impact on the value of the business at exit and, accordingly, should be monitored and managed at board level.

As the frequency, sophistication and scale of attacks increase, the cyber-resilience of target companies is likely to move up in the list of priorities of acquirers. Cyber security and the adequacy of cyber insurance will increasingly attract scrutiny during due diligence, with those failing to provide sufficient answers having the deal called off.

DISCLAIMER
By necessity, this briefing can only provide a short overview and it is essential to seek professional advice before applying the contents of this article. This briefing does not constitute advice nor a recommendation relating to the acquisition or disposal of investments. No responsibility can be taken for any loss arising from action taken or refrained from on the basis of this publication. Details correct at time of writing.