Cybersecurity Concerns For Buyers And Sellers In M&A Transactions

Cybersecurity concerns for buyers and sellers in M&A transactions have stepped into the forefront. That’s because technology is an indispensable part of business operations in today’s world. Companies must rely on tech capabilities to remain competitive and offer top-notch products and services to their customers.

However, integrating technology and compiling huge amounts of data also means a higher risk of cyber attacks and vulnerabilities. Before entering into M&A transactions, dealmakers need assurance that the target has the necessary security protocols to stay protected.

Cyber attacks and hacking incidents cost organizations millions of dollars each year, with increasing risks year after year. As businesses move their operations to the cloud to enhance efficiency, speed, and their customer base, they invite more risks.

Further, to continue to operate efficiently, businesses must compile, use, and transfer personal data. This data may come from vendors, suppliers, customers, employees, and other stakeholders. The possibility of Personally Identifiable Information (PII) leaks raises the risks of fines and penalties for regulatory non-compliance.

Worldwide laws and regulations require organizations to secure the PII entrusted to them. Any leaks can incur serious crackdowns that companies want to avoid at all costs. While hacking incidents are a real threat, the human error factor is another risk that companies must account for.

For this reason, cybersecurity concerns for buyers and sellers in M&A transactions are valid. Advisors and dealmakers must address them at every step of the process and secure the companies and the transaction.

Cybersecurity Concerns for Buyers and Sellers in M&A Transactions

Cybersecurity has become such a crucial concern that if the due diligence raises any red flags, the deal could fall through. Technology is the key driver in close to 14.5% of global M&A, accounting for $286.4B worth of deals. However, 53% of them are jeopardized because of cybersecurity concerns.

The discovery of cyber threats in the target company can also lead to its valuation dropping in a big way. A great example is Verizon’s acquisition of Yahoo! For $4.8B. Cybersecurity concerns resulted in Verizon lowering the price by $350M. Yahoo! ended up paying $35M in penalties and $80M to settle actions by shareholders.

Cybersecurity Concerns in M&A Deals – The Buyer Perspective

Decision-makers on the buyer’s end of the table must carefully evaluate the potential risks that can threaten assets and operations. These threats extend to the firm’s customer information, credit card and payment data, Intellectual Property (IP), and Intangible Assets (IA).

If the target’s security systems are flawed and vulnerable, that can expose the buyer to a wide array of risks. These risks can impact revenues, profits, brand reputation, market share, and market value, not to mention litigation and penalties.

Identifying the potential vulnerabilities that hackers can exploit and quantifying the risks in terms of monetary value are crucial approaches. Prior to the purchase, acquirers also need to work out if and how to manage and mitigate the risks. And the expenses they have to incur to remedy the fallouts.

During the cybersecurity due diligence process, buying entities must consider these aspects:

Cybersecurity Protection Protocols

The target company’s data, cyber security, and information technology practices are under scrutiny. This aspect is particularly critical in the case of companies that are heavily reliant on their data and IP assets. The IP assets may include digital knowledge, technical know-how, and expertise.

If the company’s key operational drivers are IT assets, they should have regularly updated policies and protocols for securing them. They must retain third-party cyberthreat professional teams to conduct vulnerability and penetration testing to assess the risk exposure.

The company management should also conduct regular workshops and training sessions to educate their employees about cyber threats. And institute practices to avoid and avert them.

Depending on the scope of the risk, buyers can request that the merger agreement include relevant representations and warranties. They can also require indemnification obligations to cover risks and threats that emerge after the deal’s closing.

Compliance Issues

As part of the cyber due diligence, buyers can request the target’s management personnel for detailed information about their data. The team can expect to answer questions about how they collect, store, use, transfer, and share the data.

Buyers can also expect confirmation that the data handling practices comply with the company’s policies and relevant regulations. Any non-compliance can make the acquiring company liable for the penalties, which is why they should work out risk allocation.

Acquirers will also want to know how the non-compliance is likely to impact the value of not just the data. But also the company that owns the data. Typically, laws require purchasing companies to reach out to users to acquire fresh permission to store and use data. This factor can pose a hurdle.

Most importantly, data and privacy compliance laws are dynamic and undergo changes to keep up with evolving security concerns. Before purchasing a firm, buyers will want confirmation that the company is on top of its obligations.

Historical Threats

Before offering terms of purchase, the buyer will want to scrutinize any security breaches that have occurred in the company. They will also want information about how the management handled the breach, how it occurred, and the entities impacted.

The steps taken to fill the gaps and the costs incurred are other cybersecurity concerns for buyers and sellers in M&A transactions. Cyber threats often result in the company’s operations stalling as the incident has been investigated thoroughly. Sellers may have to provide detailed information about such incidents.

Even if the target has not experienced any breaches, the cyber professionals will want to investigate its systems. They must check if the management is unaware that a breach has occurred weeks or even months in the past.

Keep in mind that in fundraising, acquisitions, or mergers, storytelling is everything. In this regard, for a winning pitch deck to help you here, take a look at the template created by Silicon Valley legend Peter Thiel (see it here) that I recently covered. Thiel was the first angel investor in Facebook with a $500K check that turned into more than $1 billion in cash.

Remember to unlock the pitch deck template that is being used by founders around the world to raise millions below.

Cyber Liability Insurance

Rising cybersecurity threats have now led to companies going under when they are unable to carry the costs. Steep penalties, fines, and lawsuits result in businesses having to close down after a cyber attack. Insurance companies are now providing coverage against such risks.

When scrutinizing the target’s financials and other statements, buyers will want information about the policies the target has purchased. They will also want to know the scope of coverage and the types of threats the policy covers.

For instance, cyber and professional liability policies may exclude payment diversion fraud coverage for certain risks. These may include phishing, spoofing, and similar social engineering incidents. As a rule, cyber risk policies also specifically exclude fiduciary liability litigation, which is brought by most high-value actions.

Transferring coverage and the need to renegotiate the terms will also be a part of the discussions. The legal team may want to examine the clauses for runoff insurance. Or claims against companies that have merged, been acquired, or gone out of business.

Handling Data During the Transition

Although sellers share documents and other relevant data in secure virtual data rooms, the threat of hacking incidents is real. Leaks and other threats can occur when the data is being transferred during the transition process.

Dealmakers will want to institute complete security protocols to prevent this from happening. They will also want to limit access only to essential personnel authorized to handle and process the assets.

Even after the deal closes, buyers will look to secure their ownership of the assets they have acquired. Further, they will want security from possible exposure to leaks, malware, or unauthorized copying that can reduce value.

Trojan Horse Concerns

Buyers can be understandably concerned about the malware and viruses infecting the data and IP they purchase. During integration or when using digital assets, the malware could potentially infect the entire IT systems of the surviving company.

Any vulnerabilities leaking into the acquirer’s company could not only stall their operations but also cause serious losses. To counter this possibility, dealmakers may employ professional cyber sleuths to examine the assets and other digital property before integration.

Cybersecurity Concerns in M&A Deals – The Seller Perspective

Cybersecurity concerns for buyers and sellers in M&A transactions can make or break the deal. On their part, sellers can take the necessary steps to mitigate the risks and ensure that the deal proceeds smoothly.

Most importantly, asset owners will want to minimize exposure to the possibility of the data getting stolen, copied, or plagiarized. During negotiations, sellers may have to make their data available for examination to evaluators, which raises the risk of hacking.

At the same time, they will want to get full value for the assets. Several nuances need to be addressed, such as ensuring that the seller transfers crucial governance issues along with the assets to eliminate liability post-separation. But that’s just for starters.

Including Contingencies in the Purchase Agreement

Before putting up the company for sale, the seller must conduct investigations into the security gaps in their data and other assets. These gaps will likely emerge during the due diligence and can lower the company’s value. Alternatively, the buyer may require compliance clean-ups before the closing.

Negotiating a specific indemnity in the purchase agreement, depending on their perceptions of the risk, is another possibility. Sellers may have to offer look-back options where the buyer is entitled to compare the revenues from the last 12 months with the revenues in the 12 months post-closing.

Acquirers can also match the expenses from the last 12 months with the next 12 months. This process allows dealmakers to verify the claims made by the seller. In case of discrepancies, the buyer can demand a pro-rata adjustment in the company’s value.

Including materiality scrapes and qualifiers in the merger agreement is another way for sellers to mitigate some of the liabilities.

Information Sharing

When pitching for funding or sale, sellers must provide detailed information to the buyer for accurate valuations of the assets. That’s how they can arrive at precise numbers after the due diligence. But, before offering this data, sellers have the right to safeguard their sensitive information from risks.

They can do this by requesting investors or prospective buyers to sign an NDA. Dealmakers typically draft the provisions of the NDA in accordance with applicable privacy laws that protect the sellers. Accordingly, they can work out how and when to present information in virtual data rooms.

Sellers can also add contingencies to minimize unnecessary disclosures and limit the information they share. For instance, they need not reveal the personal data assets they’ve compiled during the course of their operations. Or they provide a few examples only.

Decision-makers have one more option to counter cybersecurity concerns for buyers and sellers in M&A transactions. To use the anti-trust laws and protocols outlined in the Clean Team Agreement for sharing highly sensitive information.

How to Minimize Cybersecurity Concerns

Dealmakers can take several steps to minimize the risk of cyber threats during the transaction’s progress. For instance, they can minimize the access granted to non-essential personnel, including employees, contractors, and any third-party service providers.

Sellers should work out security protocols for transferring data to buyers that extend to the data storage systems. All security measures should be current and updated. Dealmakers should purchase relevant insurance coverage as an added layer of protection against breaches.

Buyers and sellers should be aware of the privacy and information security compliance issues the M&A deal is subject to. The best way to institute these measures is to have an in-house cybersecurity team to handle the protocols and guidelines.

M&A advisors may also advise retaining the services of neutral third-party experts to execute the due diligence. These professionals may also manage the transfer of assets with regulatory compliance to maintain privacy and security. Identifying and patching vulnerabilities and gaps is also part of their job description.

In today’s data-driven world, overlooking cybersecurity concerns can not only result in deals falling through. But also risks, damages, and losses from non-compliance.

Addressing the risks and taking the necessary steps to mitigate them is essential to ensure that the transaction progresses smoothly.

You may find interesting as well our free library of business templates. There, you will find every single template you will need when building and scaling your business completely for free. See it here.