Global dealmaking had a historic year in 2021 and is expected to continue its hot streak into 2022. Global M&A volume for 2021 hit $5.8 trillion, up 64% from the previous year, with over 60,000+ deals. . Beyond the traditional risks that factor into these deals, smart investors have started to recognize the criticality of cybersecurity and data privacy due diligence as a component of any successful investment. Gone is the day when it was sufficient to have cybersecurity as a single line item within IT Due Diligence. When cybersecurity due diligence is properly used and broken into a distinct activity, it can help identify critical exposures and other important factors that can impact the valuation of a deal.
From our collective experience supporting over $400 billion in M&A transactions, the Ankura Cybersecurity Advisory team has captured deep insights into investment risks. Below are critical considerations for evaluating how cybersecurity and data privacy risk factors into a target’s valuations, before and after a deal.
A Change in Thinking
Cybersecurity was traditionally thought of as an IT issue – something for the “technologists” to figure out and not something that needs to be elevated to the executive and board levels. Over the past five years, that has vastly changed and has caused organizations to rethink how they evaluate and manage that risk. As we’ve now born witness to a countless number of data breaches, most business leaders would argue that cybersecurity is absolutely an enterprise-level risk – that compels attention across all levels of an organization. With the average cost of a data breach being over $3M, that can have a significant financial impact on an organization – even to the point of them having to shut down. Our thinking has rightfully evolved and it's now important to extend that thinking into deal-making.
We Found a Data Breach – Now What?
We’ve seen this happen in the past – after a buyer completes a transaction – they discover a previously unknown cybersecurity risk and/or worse - an existing breach. The most commonly known example is that of the Marriott acquisition of Starwood in 2016. In this case, attackers had already gained a foothold into Starwood systems which were then integrated into the Marriott IT environment – now giving them access to the broader landscape and resulting in hundreds of millions of individuals' personal information being stolen. While that is an extreme example, it highlights the importance of conducting thorough cybersecurity and privacy diligence on potential acquisitions.
Additionally, there has been a prominent increase in threat actors focusing on mid-market acquisition targets. These organizations which may be acquired shortly will have access to more funds and generally tend to have less mature cybersecurity controls (as compared to larger enterprises). The growing number of attacks linked to private-equity markets is continuing to increase and just further bolstering the case for a more thorough diligence assessment on cybersecurity.
Do I Really Need Cyber & Privacy Due Diligence for Every M&A Transaction?
The next logical question is –does every deal need to have cyber and privacy as a diligence item in an M&A transaction, and if so, what should I be looking for? Cybersecurity and data privacy is an important aspect of every company. Whether you are a financial institution, a manufacturer, or a brick and mortar retailer – digital data and systems are utilized to enhance operations and therefore cyber and data privacy risk exists. The level of risk that exists will differ and drive the depth of diligence conducted and the criticality of the potential risks that are uncovered.
Key Risk Factors to Know
Unfortunately, this has not traditionally been done in all due diligence processes other than one or two questions baked into the IT diligence process to ask if the organization has security controls in place. Luckily, there is a thoughtful approach to review and understand cyber risk in an efficient manner that provides valuable insights. There are a few key things to identify, as best you can, based on the specifics of the deal:
This list does not highlight everything that can or should be reviewed, it does highlight areas that will provide key insight into the risks that exist and therefore the potential value of the deal. There are other factors such as cyber insurance that may provide additional coverage on cyber risks and affect the overall deal value.
Whether you are looking to sell and make sure you are proactively positioning yourself for the best valuation possible or you are seeking to buy and want to understand all the circumstances that will directly impact the success of the deal - cybersecurity should be on the top of your mind early and often. Cybersecurity incidents are, at a minimum, disruptive, and can be far worse – so it’s important to understand the level of risk you are taking on during an M&A transaction. With the digitization of businesses, cybersecurity and privacy risks are only increasing. Sellers need to be transparent, and buyers need to be willing and able to spend time specifically on these issues and risks to make informed decisions.