Acquiring a target company for a merger is as dangerous as ever in the age of cybersecurity. Target companies can be rife with more problems than assumed. Especially relating to cybersecurity. If negligence by the target company is discovered there will be devastating effects to the transaction and possibly even termination of the deal altogether. This is not an isolated problem considering 52 out of 100 global executives reported inheriting cybersecurity problems after an acquisition. Thirty-five of the same group even said that they terminated a deal altogether after discovering an irreparable cybersecurity obstacle.
The problems that plague mergers and acquisitions are numerous but revolve around several key aspects. These can be solved by communication between the entities and a competent cyber-risk team.
The first problem to be analyzed is if the target company has already been breached. This can be determined through risk intelligence that scours all corners of the internet tracing possibly breached information. Discovery of sensitive information from the target company on the internet could help the acquiring company determine if the acquisition is even a viable option or possibly involve a reduced price.
Second, the target company's networks must be examined for vulnerabilities. Certain vulnerabilities can provide direction for the acquiring company on how to go about integration of the two entities. It will also determine how much this integration will cost before the deal is finalized.
Determining the status of the target company's cybersecurity will also reveal what needs to be done to comply with new laws. This aspect of compliance is highlighted as a top priority for the acquiring companies by the New York Department of Financial Service (NYDFS) to avoid costly litigation. This is especially true regarding new regulation laws such as the GDPR.
To avert crippling cybersecurity problems in a merger and acquisition there must be a diligent risk assessment that covers the target company's ability to comply with the prevalent laws, its potential vulnerabilities, and revealing any previous data breaches. Neglecting to do so could potentially result in massive losses for the acquiring company.
Nothing illustrated this more than the Verizon acquisition of Yahoo last year. During the process of the deal, the largest data breach at the time was uncovered thereby slashing the price of the deal by $350 million. Over a billion accounts and 500,000 profiles were compromised. The ensuing embarrassment from hiding this critical information caused the CEO, Marissa Mayer, to resign. Perhaps most important, Yahoo's user base also fled the untrustworthy web service after the truth about their sensitive information became clear. This scenario is exemplary of the risks of not assessing risk before mergers and acquisitions. The result was effectively financially devastating and trust between consumer and company was ultimately obliterated.
Domain5 is a premier cyber risk company backed by a cohort of professional cybersecurity veterans with experience ranging from the intelligence community Fortune 500. Our elite team of cybersecurity professionals has the means, resources, and resolve to ensure thorough and multi-dimensional due diligence for mergers and acquisitions. Domain5 strives to help companies feel confident and aware during periods of mergers and acquisitions, ensuring smarter and more strategic business decisions.