Global dealmaking had a historic year in 2021 and is expected to continue its hot streak into 2022. Global M&A volume for 2021 hit $5.8 trillion, up 64% from the previous year, with over 60,000+ deals. [1]. Beyond the traditional risks that factor into these deals, smart investors have started to recognize the criticality of cybersecurity and data privacy due diligence as a component of any successful investment. Gone is the day when it was sufficient to have cybersecurity as a single line item within IT Due Diligence. When cybersecurity due diligence is properly used and broken into a distinct activity, it can help identify critical exposures and other important factors that can impact the valuation of a deal.
From our collective experience supporting over $400 billion in M&A transactions, the Ankura Cybersecurity Advisory team has captured deep insights into investment risks. Below are critical considerations for evaluating how cybersecurity and data privacy risk factors into a target’s valuations, before and after a deal.
A Change in Thinking
Cybersecurity was traditionally thought of as an IT issue – something for the “technologists” to figure out and not something that needs to be elevated to the executive and board levels. Over the past five years, which has vastly changed and has caused organizations to rethink how they evaluate and manage that risk. As we’ve now borne witness to a countless number of data breaches, most business leaders would argue that cybersecurity is absolutely an enterprise-level risk – that compels attention across all levels of an organization. With the average cost of a data breach being over $3M, that can have a significant financial impact on an organization – even to the point of them having to shut down. Our thinking has rightfully evolved and it's now important to extend that thinking into deal-making.
We Found a Data Breach – Now What?
We’ve seen this happen in the past – after a buyer completes a transaction – they discover a previously unknown cybersecurity risk and/or worse - an existing breach. The most commonly known example is that of the Marriott acquisition of Starwood in 2016. In this case, attackers had already gained a foothold into Starwood systems which were then integrated into the Marriott IT environment – now giving them access to the broader landscape and resulting in hundreds of millions of individuals' personal information being stolen. While that is an extreme example, it highlights the importance of conducting thorough cybersecurity and privacy diligence on potential acquisitions.
Additionally, there has been a prominent increase in threat actors focusing on mid-market acquisition targets. These organizations which may be acquired shortly will have access to more funds and generally tend to have less mature cybersecurity controls (as compared to larger enterprises). The growing number of attacks linked to private-equity markets is continuing to increase and just further bolstering the case for a more thorough diligence assessment on cybersecurity.
Do I Really Need Cyber & Privacy Due Diligence for Every M&A Transaction?
The next logical question is –does every deal need to have cyber and privacy as a diligence item in an M&A transaction, and if so, what should I be looking for? Cybersecurity and data privacy are important aspects of every company. Whether you are a financial institution, a manufacturer, or a brick-and-mortar retailer – digital data and systems are utilized to enhance operations and therefore cyber and data privacy risk exists. The level of risk that exists will differ and drive the depth of diligence conducted and the criticality of the potential risks that are uncovered.
Key Risk Factors to Know
Unfortunately, this has not traditionally been done in all due diligence processes other than one or two questions baked into the IT diligence process to ask if the organization has security controls in place. Luckily, there is a thoughtful approach to reviewing and understanding cyber risk in an efficient manner that provides valuable insights. There are a few key things to identify, as best you can, based on the specifics of the deal:
This list does not highlight everything that can or should be reviewed, but it does highlight areas that will provide key insight into the risks that exist and therefore the potential value of the deal. Other factors such as cyber insurance may provide additional coverage for cyber risks and affect the overall deal value.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
