The recent cyberattack on the Colonial Pipeline in the U.S. is a glaring reminder of the vulnerabilities that all industries face, as well as the costly repercussions that can be a result of such a situation. Colonial Pipeline Co. paid the hacker group $5 million to have the company released from the ransomware to restore service to the critical pipeline. This actually turned out to be a wasted $5 million. For that high price, the hackers provided the company with a decrypting tool to restore its disabled computer network. But this tool was too slow, and Colonial ended up using its own backups to restore the system.
This incident should bolster concern from any business owner about cybersecurity in general, regardless of their type of company. But cybersecurity is also a factor that should not be overlooked during the M&A process. Firstly, a company’s valuation is often impacted by intellectual property (IP) and data, especially in today’s connected world. Infiltration of your network by bad actors can negatively influence the value of your business in a merger or acquisition, lowering the sale price. Additionally, past breaches will act as red flags for buyers, causing them to have heightened concerns about risks that they are inheriting, also impacting the company’s value. Making this even more of a critical issue is the fact that many M&A transactions are driven by the strategy to acquire technology.
M&A Cyber Due Diligence
If you are planning to sell your company, you should expect potential acquirers to look into your cybersecurity history and current practices so that they can accurately assess value and properly strategize for future integration. This focus is becoming more of a priority for many buyers than it had been in the past. In fact, a 2019 study by Forescout Technologies reported that 81% of respondents agree that they are putting more of a focus on a target’s cybersecurity posture than in the past. And that response was prior to the COVID-19 pandemic, which has caused the world to become even more digitalized, driving more need than ever for cybersecurity concerns.
A potential buyer may inquire about the safety of firewalls and antivirus software, and the competence of the cybersecurity team in charge. They may want to see a security plan supported by a transition services agreement. A buyer may also want to have a monitoring assessment conducted by their own experts.
A buyer may also ask about past cybersecurity problems and how they were resolved. Transparency is key in these cases. While you may feel hesitant to disclose past incidents, you don’t want the buyer to find out that you attempted to hide them, causing them to lose trust in your honesty about the business on issues beyond cybersecurity, as well as your integrity as a seller. This can completely derail what could have been a successful deal. That same study by Forescout reported that 73% of respondents agreed that a company with an undisclosed data breach is an immediate deal breaker in their company’s M&A strategy.
There is also the issue of being at risk simply because you are involved in a transaction. Hackers actually look for ways to insert themselves into M&A deals, no matter whom it impacts. For example, if a bad actor gets wind of a potential acquisition, they can attempt to compromise the business being acquired. These issues are critical to successful integration pre- and post-close. Imagine agreeing to a deal and then being hacked. This is a problem that no party on any side wants to deal with. If the transition has not yet occurred but the companies’ networks are still connected, both could have to shut everything down to deter the worst and evaluate any damage. This can be expensive, as well as a major embarrassment, and can ruin what could have been a prosperous deal for the smaller entity involved.
Stakeholders on all sides can take measures to address concerns during the M&A process and assess risks. Buyers should view cybersecurity as an important part of the due diligence process and get IT teams involved early. IT team leaders on both the buy-side and sell-side should be engaged in M&A activities by their respective companies so they can support security strategies and mitigate risks. And third parties such as M&A advisory firms should advocate for their clients to place proper emphasis on areas of cybersecurity.
These efforts may call for the investment of time and money, but can pay off in the long run. In the U.S. economy, hundreds of billions of dollars are lost in stolen IP each year. That doesn’t even include losses that are caused by disruptions to business or ransomware attacks. The Ponemon Institute’s 2020 Cost of Data Breach Report showed that 80% of breaches involved customer personally identifiable information, with the average cost of a breach costing $3.86 million. Therefore, effective cybersecurity should be a shared priority for buyers, sellers and their partners. Today’s investment can translate to a more secure tomorrow.
Americas: Sam Smoot at +1 (813) 898 2350 / Smoot@BenchmarkIntl.com
Europe: Michael Lawrie at +44 (0) 161 359 4400 / Lawrie@BenchmarkIntl.com
Africa: Anthony McCardle at +27 21 300 2055 / McCardle@BenchmarkIntl.com
ABOUT BENCHMARK INTERNATIONAL
Benchmark International’s global offices provide business owners in the middle market and lower middle market with creative, value-maximizing solutions for growing and exiting their businesses. To date, Benchmark International has handled engagements in excess of $7B across various industries worldwide. With decades of global M&A experience, Benchmark International’s deal teams, working from 14 offices across the world, have assisted hundreds of owners with achieving their personal objectives and ensuring the continued growth of their businesses.