Executives and investors are hiring an unlikely crowd to help them do deals: computer geeks.
Companies and investment funds are adding an extra layer of scrutiny to acquisitions by screening targets for cyber security risks, as global computer attacks raise awareness. That’s prompting offers specifically tailored to takeovers by a variety of players, from consultants like Deloitte to software providers including Intralinks Holdings Inc.
“There’s a risk you’re buying an empty shell,” overpaying for a target whose patents have been spied on and copycatted, or whose sensitive customer data has been stolen, said Michael Bittan, head of Deloitte’s Cyber Risk Services unit in France. “Cyber security is not about getting technical, it’s about business impact, and ultimately valuations. It will become a pillar of M&A decisions.”
The wake-up call for cyber security expertise during mergers and acquisitions came after a 2014 Yahoo! hack affected about 500mn accounts, damaging the company’s reputation and causing Verizon Communications to cut its offer to buy the company by $350mn. There’s concern that computer viruses can be planted and remain dormant until after a deal, leaving the acquirer to cope with stolen customer data, industrial secrets or ransom demands.
At Deloitte, Bittan’s French team started the service about 3 months ago and has signed up about a dozen customers since. Deloitte’s global cyber security unit more broadly had sales of $850mn during the full-year that ended end-May 2016 and has a target for $1.8bn by end-May 2020.
A majority of executives would seek to significantly lower a deal’s valuation in case of a high-profile data breach, a survey by stock market operator NYSE showed last year. About 85% of executives interviewed in the study said discovering major vulnerabilities at the audit stage of an acquisition would likely affect their final decision to go ahead with the takeover or back out.
“That trend will grow – we’ll see more companies killing deals or devaluing the target,” said Grace Keeling, head of communications at Intralinks, which has conducted a similar survey. The company, which provides virtual safe-storage rooms to customers including Credit Suisse Group during deals, reported most respondents of its survey would cut valuation by as much as 20% in case of a breach at the target’s level.
Demand from executives and investors has been growing, as high-profile attacks grab the spotlight. More than 200,000 computers in at least 100 countries were infected by ransomware in May, blocking parts of activity at Germany Deutsche Bahn train stations, the UK’s National Health Service, and some factories of French car-marker Renault.
“There’s huge potential for development – the more attacks there are, the more cyber audits are likely to become standard procedure,” said Frederic Ichay, a partner at lawfirm Pinsent Masons, who specialises in M&A transactions. “We’ll see more and more of them as we see more cyber attacks against companies and more flaws being exploited, not just blocking computer systems, but also potentially entire factories.”
Those who are getting audits done aren’t out bragging about them though, and there’s good reason for that: attacks are ongoing and a green light from due diligence teams today isn’t a guarantee that a company won’t be vulnerable in the future. Experts interviewed for this story all declined to name their customers.
It’s also because cyber security analysis is still part of only a minority of M&A transactions. A 2015 academic report in the Richmond Journal of Law & Technology showed cyber security analysis is carried out in less than half of deals.
A report by Freshfields Bruckhaus Deringer in 2014 showed 8 in 10 deal-makers don’t think potential cyber security impacts are quantified as part of due diligence. Several experts speaking to Bloomberg said that hasn’t changed much since: cyber security isn’t yet a standard analysis like fiscal or social audits, but rather something companies do for very large transactions or operations on companies that value data heavily in their business models.
Phone operator Orange, which is investing in cyber security to capitalise on a surge in demand from corporate clients, is seeing M&A audits start to pop up on the list of requests from its customers just recently, said Michel Van Den Berghe, chief of the company’s cyber defence unit.
“It’s something our very large customers are asking for in the final phases of a deal, as part of a mapping of potential risks,” Van Den Berghe said. “It’s the kind of request we’ve been getting for less than a year – it’s barely starting.”
The shadow of Thomas u201cTomu201d Kirchmaier, vice president of special projects at General Dynamics Corp, is seen as he speaks during the Billington Global Automotive Cybersecurity Summit at the Cobo Center in Detroit, Michigan on July 22, 2016. The wake-up call for cyber security expertise during mergers and acquisitions came after a 2014 Yahoo! hack affected about 500mn accounts, damaging the company’s reputation and causing Verizon Communications to cut its offer to buy the company by $350mn.
