Global threats, recent WannaCry ransom attack fuel awareness
Cybersecurity will increasingly become part of deal-vetting
Executives and investors are hiring an unlikely crowd to help them do deals: computer geeks.
Companies and investment funds are adding an extra layer of scrutiny to acquisitions by screening targets for cybersecurity risks, as global computer attacks raise awareness. That’s prompting offers specifically tailored to takeovers by a variety of players, from consultants like Deloitte LLP to software providers including Intralinks Holdings Inc.
“There’s a risk you’re buying an empty shell,” overpaying for a target whose patents have been spied on and copycatted, or whose sensitive customer data has been stolen, said Michael Bittan, head of Deloitte’s Cyber Risk Services unit in France. “Cybersecurity is not about getting technical, it’s about business impact, and ultimately valuations. It will become a pillar of M&A decisions.”
The wake-up call for cybersecurity expertise during mergers and acquisitions came after a 2014 Yahoo! Inc. hack affected about 500 million accounts, damaging the company’s reputation and causing Verizon Communications Inc. to cut its offer to buy the company by $350 million. There’s concern that computer viruses can be planted and remain dormant until after a deal, leaving the acquirer to cope with stolen customer data, industrial secrets or ransom demands.
At Deloitte, Bittan’s French team started the service about 3 months ago and has signed up about a dozen customers since. Deloitte’s global cybersecurity unit more broadly had sales of $850 million during the full-year that ended end-May 2016 and has a target for $1.8 billion by end-May 2020.
A majority of executives would seek to significantly lower a deal’s valuation in case of a high-profile data breach, a survey by stock market operator NYSE showed last year. About 85 percent of executives interviewed in the study said discovering major vulnerabilities at the audit stage of an acquisition would likely affect their final decision to go ahead with the takeover or back out.
“That trend will grow — we’ll see more companies killing deals or devaluing the target,” said Grace Keeling, head of communications at Intralinks, which has conducted a similar survey. The company, which provides virtual safe-storage rooms to customers including Credit Suisse Group AG during deals, reported most respondents of its survey would cut valuation by as much as 20 percent in case of a breach at the target’s level.
Demand from executives and investors has been growing, as high-profile attacks grab the spotlight. More than 200,000 computers in at least 100 countries were infected by ransomware in May, blocking parts of activity at Germany Deutsche Bahn train stations, the U.K.’s National Health Service, and some factories of French car-marker Renault SA.
“There’s huge potential for development — the more attacks there are, the more cyber audits are likely to become standard procedure,” said Frederic Ichay, a partner at lawfirm Pinsent Masons LLP, who specializes in M&A transactions. “We’ll see more and more of them as we see more cyberattacks against companies and more flaws being exploited, not just blocking computer systems, but also potentially entire factories.”
Those who are getting audits done aren’t out bragging about them though, and there’s good reason for that: attacks are ongoing and a green light from due diligence teams today isn’t a guarantee that a company won’t be vulnerable in the future. Experts interviewed for this story all declined to name their customers.
It’s also because cybersecurity analysis is still part of only a minority of M&A transactions. A 2015 academic report in the Richmond Journal of Law & Technology showed cybersecurity analysis is carried out in less than half of deals.
A report by Freshfields Bruckhaus Deringer in 2014 showed 8 in 10 deal-makers don’t think potential cybersecurity impacts are quantified as part of due diligence. Several experts speaking to Bloomberg said that hasn’t changed much since: cybersecurity isn’t yet a standard analysis like fiscal or social audits, but rather something companies do for very large transactions or operations on companies that value data heavily in their business models.
Phone operator Orange SA, which is investing in cybersecurity to capitalize on a surge in demand from corporate clients, is seeing M&A audits start to pop up on the list of requests from its customers just recently, said Michel Van Den Berghe, chief of the company’s cyberdefense unit.
“It’s something our very large customers are asking for in the final phases of a deal, as part of a mapping of potential risks,” Van Den Berghe said. “It’s the kind of request we’ve been getting for less than a year — it’s barely starting.”