The fujiwhara effect of cyber and deals
January 20, 2020
Cyber security incidents are headline news these days. The rise of data, GDPR and rapid - and seemingly never-ending changes - in the technology landscape have created the perfect conditions for a cyber storm, which when combined with the dynamics of a deals environment, further increases the pace of organisational and technological change.
However despite this situation, cyber security is surprisingly often overlooked as a diligence item until too late in the deal process, if it is considered at all. This is reflected in some of the findings from our Creating Value Beyond the Deal: technology, media and telecommunications report:
- When we examined acquisitions that had lost significant value relative to the purchase price, 63% of affected companies said that they did not have a technology plan in place at signing; and
- Over two thirds of respondents cited that there was room for improvement in technology and IP due diligence, and it was ranked as the #1 area for “significant room for improvement” overall.
Like walking into a minefield blindfolded
Completing a transaction with either no or insufficient visibility of cyber security and data privacy risk exposures is like buying a car without checking that the mechanics actually work. It could mean you are buying a business that:
- has already been stripped of its IP and therefore value.
- is potentially likely to be subject to severe regulatory penalty because of an existing data breach.
- requires a major infusion of capital in order to ‘right the ship’ and bring security and data protection capability into a stable position.
The point is, that if you don’t do appropriate investigatory work during the diligence phase, you simply will not know. Such a position is increasingly hard to justify. However, sadly there is no such thing as a bulletproof approach to cyber security and no business is ‘risk free’.
The three most common deficiencies we have seen during the course of our due diligence work over the last year have been:
1. The absence of a clear strategy for or any forward-looking approach to cyber security: often in the technology, media and telecommunications (TMT) when businesses have ‘a strategy’ for cyber security, it is often less a fully realised vision aligned to the wider business plan and more a series of well-intentioned tactical and highly technical fixes that commonly neither get to the root of the problems nor significantly improve overall security capability.
For example a lack of future-thinking and strategic planning can have magnified ramifications in a divestiture situation, especially where the entity being acquired is to be separated from a parent organisation on which it has been heavily reliant for security support. In such a situation, it is imperative that private equity buyers are able to:
- validate the appropriateness and effectiveness of security TSAs to make sure they are receiving what they believe and can avoid major incidents
- construct accurately costed plans for appropriate standalone capability
- execute the transition in such a way as to cost-effectively build standalone security capability and systematically identify and manage security risks introduced into the environment through execution of transitional activities.
2. A failure to carry out appropriate security testing: including lack of regular penetration testing, vulnerability scanning, review of cloud configurations or automated code scanning.
Ultimately, you don’t know what you don’t know. For a buyer, the absence of regular security testing should represent a major red flag, showing the target is not even doing the basics, has a negligible grip on current risk exposure and may even have been breached already.
This was the case in a recent diligence of a technology business where we identified several of the basics were missing. We recommended the buyer carry out a compromise discovery assessment between signing and close to determine if the target may have an existing issue given the lack of security testing and basic capability. What we then uncovered through this was evidence of an existing, ongoing breach and multiple historical intrusions, which were factored into pricing and contracting.
3. Inadequate incident response and recovery capabilities: including the lack of defined plans, formalised exercising or access to external support.
In one recent case, we supported an aircraft manufacturer as it rebuilt its technology estate after a ransomware attack that caused production outages lasting over a month and could have killed the business. In this instance, the lack of effective and appropriately tested response and recovery plans magnified the attack’s impact and ultimately led to approximately €200m being removed from the asset purchase price.
Why would you not?
Increasingly, choosing to gamble on the state of cyber security and data protection risk exposures in a transaction is unjustifiable. By executing cyber security due diligence early enough, you can meaningfully react to the results in such a way as to maximise value preservation - be that through factoring remediation of identified deficiencies into pricing, enhancing TSAs and integration or separation plans, instituting security clauses into contracting and building effective post-deal plans, or cancelling the investment altogether.
The question you should be asking before buying or investing is now not so much ‘should we examine the target’s cyber security’ as ‘why would we not’ given the stakes at play?
For more information, please get in touch today. You can also download our latest M&A insights Creating value beyond the deal: technology, media and telecommunications to understand how 100 TMT executives approach their transactions.