Executives and investors are hiring an unlikely crowd to help them do deals: computer geeks.
Companies and investment funds are adding an extra layer of scrutiny to acquisitions by screening targets for cybersecurity risks, as global computer attacks raise awareness. That’s pro?mpting offers specifically tailored to takeovers by a variety of players, from consultants like Deloitte to software providers including Intralinks Holdings.
“There’s a risk you’re bu?ying an empty shell,” overpaying for a target whose patents have been spied on and copycatted, or whose sensitive customer data has been stolen, said Michael Bittan, head of Deloitte’s cyber risk services unit in France. “Cybersecurity is not about getting technical, it’s about business impact, and ultimately valuations. It will become a pillar of M&A (merger and acquisition) decisions,” Bittan said.
The wakeup call for cyb?ersecurity expertise during mergers and acquisitions ca?me after a 2014 Yahoo! Inc hack affected about 500 million accounts, damaging the firm’s reputation and causing Verizon Communicati?ons to cut its offer to buy the company by $350 million.
There’s concern that co?mputer viruses can be planted and remain dormant until after a deal, leaving the acquirer to cope with stolen customer data, industrial secrets or ransom demands.
At Deloitte, Bittan’s Fre?nch team started the service about three months ago and has signed up about a dozen customers since. Deloitte’s global cybersecurity unit more broadly had sales of $850 million during the full-year that ended May 2016 and has a target for $1.8 billion by end-May 2020.
A majority of executives would seek to significantly lower a deal’s valuation in case of a high-profile data breach, a survey by stock market operator NYSE sho?wed last year.
About 85 per cent of executives interviewed in the study said discovering major vulnerabilities at the audit stage of an acquisition wo?uld likely affect their fi?nal decision to go ahead with the take?over or back out. “That trend will grow – we’ll see more companies killing deals or devaluing the target,” said Grace Keeling, head of communications at Intralinks, which has conducted a similar survey.
The company, which provides virtual safe-storage ro?oms to customers including Credit Suisse Group during deals, reported most respondents of its survey would cut valuation by as much as 20 per cent in case of a breach at the target’s level.
Demand from executives and investors have been gr?o?wing, as high-profile attacks grab the spotlight. More than 200,000 computers in at least 100 countries were infected by ransom?ware in May, blocking parts of activity at Germany Deu?tsche Bahn train stations, the UK’s National Health Service, and some factories of French car-marker Renault.
“There’s huge potential for development – the more attacks there are, the more cyber audits are likely to become standard procedure,” said Frederic Ichay, a partner at law firm Pinsent Masons, which specialises in M&A transactions.
“We’ll see more and more of them as we see more cyberattacks against companies and more flaws being exploited, not just blocking computer systems, but also potentially entire factories,” Ichay said.
Those who are getting audits done aren’t out bragging about them though, and there’s good reason for that: attacks are ongoing and a green light from due diligence teams today isn’t a guarantee that a company won’t be vulnerable in the future. Experts interviewed for this story all declined to name their customers.
It’s also because cybersecurity analysis is still part of only a minority of M&A transactions. A 2015 academic report in the Richmond Journal of Law & Technology showed cybersecurity analysis is carried out in less than half of deals.
A report by Freshfields Bruckhaus Deringer in 2014 showed 8 in 10 dealmakers don’t think potential cybersecurity impacts are quantified as part of due diligence. Several experts speaking to Bloomberg said that hasn’t changed much since: cybersecurity isn’t yet a standard analysis like fiscal or social audits, but rather something companies do for very large transactions or operations on companies that value data heavily in their business models.
Phone operator Orange, which is investing in cybersecurity to capitalise on a surge in demand from corporate clients, is seeing M&A audits start to pop up on the list of requests from its customers just recently, said Mi?chel Van Den Berghe, chief of the company’s cyber defence unit. “It’s something our very large customers are asking for in the final phases of a deal, as part of a mapping of potential risks,” Van Den Berghe said. “It’s the kind of request we’ve been getting for less than a year – it’s barely starting.”