Say you’re a looking to grow your company. There are any number of ways you can go about doing this, most popularly organically, through investors, or by acquiring other companies. In the latter situation, you may have different intentions in mind for an acquisition. For instance…
- You want to move into a geographical territory rapidly
- You want to acquire a certain client portfolio and more of the same kinds of clients down the road (an “upstream” acquisition)
- You want to acquire intellectual property that would otherwise be too difficult, costly, and/or time-consuming to build (a “downstream” acquisition)
- You want to acquire talent and relationships
- You want to take a financial stake in a company in whom you see vast potential
- You want to eliminate or suppress a competitor or potential competitor
When you’re thinking about this acquisition for these reasons, you’re focused on companies that fit the bill. Once you’ve identified them, you’ll move into your due diligence process. The common M&A due diligence process focuses on financial and risk assessments – what’s a fair asking price for the company you want to buy given what you unearth about its financial health, and what kind of risk might you be acquiring (pending lawsuits, potential regulatory violations, misconduct or any lack of governance, system health and maintenance, etc.) when you buy them.
But one area of risk that is actually the fastest growing and yet still largely ignored in M&A deals large and small is a company’s cybersecurity integrity. The risk of a cybersecurity issue could wreak havoc on an acquiring company should it go undetected. Cases in point?
- When Marriott International acquired the Starwood Group, it unwittingly also acquired a breach of more than 300 guest records which has led to fines (estimated to run upwards of $179 million USD), remediation costs, and a class action lawsuit.[i] Meantime, its share value plunged 9.6% the day the initial news broke.
- In 2017, Yahoo disclosed three data breaches during its negotiation to sell its internet business to Verizon As a result of the disclosures, Verizon subsequently reduced its purchase price by $350 million, approximately 7% of the purchase price, with the sellers assuming 50% of any future liability arising from the data breaches.[ii]
Though these examples feature high-profile brands, given the magnitude of a deal and the average cost of the common due diligence process, any double-digit million dollar acquisition should require a cybersecurity assessment to assure the buyer minimal risk of undue exposure to harm. Commonly, this due diligence process itself – between accountants, consultants, and lawyers – will run several million dollars regardless. In the meantime, cybercrime is estimated to inflict damages totaling $6 trillion USD globally in 2021, an amount equivalent to the world’s third-largest economy after the U.S. and China. At its rate of growth, cybercrime is forecasted to cost the world $10.5 trillion annually by 2025, a 75% increase in just four years.[iii]
So how do the common acquisition intention correlate to cybersecurity?
- Geographical Expansion: If you’re acquiring to penetrate a geographic region that is governed by certain rules and regulations different than those in your current region (California and the European Union for instance have stricter consumer privacy protections), you’re going to need to make sure these security regulations haven’t been overlooked.
- Acquisition for a Database or Portfolio: As the Marriott and Yahoo examples above show, without the right due diligence, these kinds of data breaches can go undetected until it’s too late.
- Acquisition for IP: If the intellectual property of a company has been compromised due to a security breach, the acquiring company may find itself with years of expensive litigation after an acquisition just to reclaim rights to that IP.
- Acquisition for Talent/Relationships: Much as with an acquisition for a customer database or portfolio, so too are employee and partner databases at risk.
- Taking a Financial Stake: A company that looks financially attractive on the surface may be turned into an investment catastrophe if it doesn’t have its security in order.
- Acquisition of a Competitor: Just because a company seems ripe for the picking to help you pave the way towards new, unobstructed revenues doesn’t mean that the deal isn’t without risk. In fact, if the acquisition of a competitor is a hostile one, there may be intentional cyber-sabotage going on that you want to identify prior to the take-over.
So how can companies in acquisition mode mitigate all of these challenges? By not failing to conduct a thorough and detailed Security Assessment during their M&A due diligence process. Not conducting one is kind of like buying a new iPhone 12 Pro Max for over $1,000 but not buying a $30 case to protect it. Don’t be penny-wise and pound foolish. Protect your investment upfront.
Gigit has been providing cybersecurity services for over 10 years, long enough to witness the exponential growth in the most egregious corporate cybercrimes. With more threats created by remote and globally distributed workforces, Gigit has helped businesses and federal contractors identify and remediate cybersecurity vulnerabilities. Its team of expert, highly certified professionals (CISSP; OSCE; OSCP; CEH; GXPN), with over 100 combined years of cybersecurity experience among them, lead M&A Security Assessments, Pentesting, Industry, Government, and Data Privacy Compliance initiatives and consulting/advisory services. We work directly with CEOs, CISOs, CFOs, CIOs as well as investment banks, insurance companies, VCs, and M&A attorneys to help protect cybersecurity systems and identify breaches that may impact acquisition deals and the ability of companies to do business with government agencies. Among the beneficiaries of Gigit’s services are brands like Uber, Amazon, Walmart, Kohl’s, Equinix, and Interim Healthcare.