For years, cybersecurity was considered a “check-the-box” discussion during the merger and acquisition (M&A) process. It was almost always examined to ensure there weren’t any glaring issues or major red flags—but due to limited time resources, or the ability to parse out qualitative responses during M&A from real performance, there wasn’t a great deal of importance placed on it. Very few transactions would be prevented due to cybersecurity practices today, however, each M&A does require a financial business case created regardless. This may be as simple as assessing integration costs.
You are probably aware of the security breach at luxury retailers, Saks Fifth Avenue and Lord & Taylor, that compromised payment card information for over 5 million customers. As a result, Hudson’s Bay Company (HBC) who acquired Saks and brought the retail chain to Canada five years ago, suffered a 6.2% drop in shares the following day. Although HBC was able to quickly recover, history has shown that a lack of due diligence on cybersecurity during or after the acquisition process can be devastating to the acquiring organisation.
The reduction in the price of Yahoo, following the acquisition by Verizon is a clear demonstration of the business impact. Following the occurrence of two major Yahoo data breaches, Verizon announced in February 2017 that they have reached new acquisition terms. After slow progress of acquisition following the data breaches, Verizon lowered its purchase price for Yahoo by $350 million, down to $4.48 billion.
Up until recently, cybersecurity due diligence consisted of a set of questions that the acquiring firm presented to the target firm maybe an on-site visit or a phone call. Today, security is a boardroom issue, and the implications associated with it can seriously diminish the value of a future organisation, especially with regard to sensitive data and intellectual property. These have a direct impact on your ability to do business and as a result on the valuation of the deal (Yahoo lost 350M in purchase price value after disclosure).
Typically assessments carried out to measure cyber risk have been point-in-time assessments, such as audits, questionnaires, penetration tests and so on. However, these only provide a snapshot in time of true security posture. Businesses that rely on this type of reporting, especially during the M&A process should consider moving towards more continuous monitoring of the business they intend to acquire and also its third-party ecosystem in order to mitigate any risk that could flow into their organisation upon acquisition.
Luckily, there are security rating tools available that can help you understand the true cybersecurity posture of your acquisition. Security ratings are much like credit ratings in that they measure an organization’s security posture. These are objective tools that deliver a standardised method of reporting risk to the board in a meaningful way.
Below is an information security due-diligence checklist, highlighting the four reasons you should consider using security ratings before, during, and after any merger or acquisition.
- It saves you money in the immediate future.
You likely remember the newsworthy fiasco between Canadian-based TIO Networks and PayPal: the payment processing company was acquired by PayPal in July 2017 for $238 million. Just a few months following the acquisition, TIO Networks revealed that as many as 1.6 million of its customers may have had personal information stolen in a data breach.
Companies that conduct thorough due diligence of the security posture of acquisition targets using security ratings review historical security data and can use that information to better structure M&A deals. If their acquisition target has a long or constant history of security issues they may be able to negotiate a lower sale price to counteract potential cyber risks. More importantly, acquiring companies may also be able to help targets improve their security posture, thereby reducing the level of risk incurred as a result of the transaction.
- It saves you money in the long term.
While some companies have been breached during a merger or acquisition transaction, others have been breached well after the deal has gone through. A prime example is TripAdvisor’s 2014 purchase of Viator, a tour-booking company. Just a few weeks after the completed transaction, Viator’s payment card service provider announced that unauthorised charges occurred on many of its customers’ credit cards. The breach affected 1.4 million users and led to a 4% drop in TripAdvisor’s stock price.
Security ratings can help. Security ratings are correlated to the likelihood of a breach, so if the rating of an acquisition target indicates they are at risk for a future cyberattack, that risk is inherited by the acquiring company as part of the deal.
- It aids collaboration between the acquiring company and their target.
Since acquiring companies inherit the digital footprint of organisations they buy, security and risk departments at both organisations need to have a simple and effective way to collaborate and plan appropriate integration investment Here is how BitSight Security Ratings can help with this process:
- Acquiring organisations can invite any target company to take a look at their own digital infrastructure and security posture free of charge.
- Target companies can then use the platform to review their own digital infrastructure, including any owned IP addresses and domains. This is a very important step as many companies often own IP space they may not have accounted for. The acquiring organisation needs to know precisely what is being consolidated, because once the deal is finalised, the acquiring company has a much larger attack surface—so they must be aware if there are any infections or issues so they can monitor adequately going forward.
- It gives you a competitive business advantage.
Today, cybersecurity is a business differentiator, and organisations who have a good security rating may use it as a selling point. For example, a highly-rated law firm would be considered more trustworthy. The same idea can be applied to acquisitions. Acquiring a company with a good security posture could be a strategic move, as it could either reinforce or enhance your company’s own security posture and strategy.
In a nutshell, using security ratings is a critical step to continuously monitor your acquisition before, during, and after an M&A deal. Without this real-time look at your target’s security posture and performance, you could end up acquiring vulnerabilities that could cause major damage if exploited. Indeed analyst firm Gartner issued an M&A report earlier this year stating how important Cybersecurity is in the due diligence process. Not only will this save your organisation money immediately but prevents future risk of financial losses, aiding your collaboration with the target company and improving your business prospects. For more information, you can download this data sheet.
By Tom Turner, CEO, BitSight