Cybersecurity Considerations In M&A: Protection From Exposure

Cybersecurity considerations in M&A are the top priority for dealmakers assessing the viability of a company. In today’s economic landscape, organizations are almost entirely dependent on Information Technology to run their operations efficiently.

Almost every aspect of the company, starting from calculating financials to supporting day-to-day functioning, requires technology. More so for tech-driven businesses creating and delivering digital physical and SaaS products and services to their customers.

Assessing the targeted company’s exposure to risk is an integral part of the due diligence process. Acquirers must evaluate the risk they’ll expose their companies to when integrating the purchased startup after the merger or acquisition.

Cybersecurity considerations prevail at every step of the M&A from end to end. As an acquirer, you’ll get your team of legal consultants and advisors to evaluate the company by examining the relevant documents.

Sellers typically deploy a secured virtual data room to share information without the risk of hacking. Even so, teams checking through the financials, IP title and ownership-related paperwork, and other details need to protect themselves.

They are open to the risk of malware and other risks that may infect the files. Cybersecurity risks can result in delays in acquisition procedures at every step of the way. Managing the transactional and post-closing risks efficiently helps you prep for them.

Acquirers can also accurately anticipate the costs of recovery and damage control in case of a cyber attack. Incidents like these can affect the seller, buyer, and the surviving company at the end of the deal. How big can be the potential losses? Why are cybersecurity considerations in M&A valid?

Check Out These Statistics

The losses from cybersecurity and data breaches worldwide have been rising through the years. In 2023, this cost was around $4.45M, demonstrating a 15% rise over the last three years. Ransomware breaches have cost organizations $5.3M, which is a 13% rise since 2022.

The year-over-year rising risks are prompting dealmakers to prioritize cybersecurity-related due diligence when conducting transactions with third parties. This policy is extending to M&A deals, and experts estimate that 60% of organizations will focus on cybersecurity capabilities.

Around 73% of the surveyed respondents estimate that acquiring IP and IA is their core focus for M&A strategies. At the same time, 62% accepted that they face higher cybersecurity risks when buying new companies. Cybersecurity considerations in M&A are the top priority when entering into deals.

That’s why due diligence procedures will examine several core areas, including the target’s valuation and the seller’s representations and warranties. With cybersecurity emerging as one of the key considerations, due diligence now focuses on its effects on intellectual property.

You’ll also examine financials, insurance, commercials, legal risks, and ESG compliances. All of these factors influence the final decision-making and whether the deal will terminate or close.

Technology and the IoT Have Become Indispensable

Technology and the Internet of Things (IoT) have become an integral part of every organization. They ensure maximum productivity, cost-effectiveness, and greater efficiency in every aspect, whether internal efficiency or customer service and support.

Companies must integrate the IoT into their day-to-day operations to stay competitive and on top of their game. And that includes IoT devices like security cameras, VoIP for communication, smart lighting, printers, and an array of office devices. Together, this network keeps the company functional.

But the IoT also opens the organization to cybersecurity attacks, malware, ransomware, and more. To counter this risk, companies are relying on purchasing cybersecurity protection insurance, paying premiums amounting to $7.2 billion in 2022.

Using technology in an organization exposes it to new threats and vulnerabilities. These risks can impact the company’s stakeholders and any third parties that engage in business transactions.

The situation has reached a situation where paying ransomware is now a business decision instead of a cyber team decision. For this reason, when conducting due diligence into a target company’s processes, acquirers focus on the potential risk factors.

They’ll also take a closer look at the cybersecurity risks the seller has faced and countered in the past. The security measures that are already integrated or purchased are other areas of concern. If the company has been a target and has paid off hackers, buyers want to know about it.

Due Diligence in IP-Driven M&A

When purchasing a company, buyers also take over their intellectual property and other intangible assets. Increasingly, a high number of M&A deals are IP asset-driven, with dealmakers entering into M&A for the sole purpose of acquiring the assets.

In that case, cybersecurity considerations in M&A are the primary objective. Without robust security, hackers can get hold of the IA and expose them to competitors. If that happens, the IP’s value is lost to the buyer. Competing brands may build and release similar products in the market long before the IP buyer.

Once the IP is available in the open market, the purchasing entity may find it hard to enforce its title rights. Any anti-infringement laws may not be applicable to intangible assets without clear ownership or unclear rights to usage. The seller’s company may also be a target of litigation for title issues.

Knowing how to navigate the due diligence process is a critical skill that you’ll need at every step. Whether fundraising, selling a business, or buying a company, you’ll learn how to identify or provide pertinent information. Check out this video, where I have explained how it’s done.

Breach of PII Due Diligence

Data breaches of Personally Identifiable Information (PII) are a significant issue in the US, with losses totaling $9.48M.  A small business that becomes the victim of a hacking incident is likely to close its doors within six months.

Several factors can lead to the company sustaining financial losses, including regulatory fines and class action lawsuits from affected entities. Companies are liable to all their stakeholders, including vendors, customers, employees, and investors, to secure their PII.

A cybersecurity incident also results in stakeholders losing confidence in the brand and moving their business elsewhere. Such incidents can prove disastrous for the company, which is something buyers need to know about.

If the seller’s company has been the victim of such attacks, due diligence will uncover the extent of the damage. The meticulous examination will also reveal the gaps in security that need to be filled. If needed, the buyer may have to invest in advanced measures to shore up the company’s defenses.

They may have to investigate the possibility of similar breaches occurring in the acquirer’s company once the integration is complete. Most importantly, the buyer has to assume any pending liabilities, including ongoing cybersecurity-related litigation, that the target has.

Accordingly, litigation costs and related expenses, including fortifying the defenses with advanced solutions, will lower the company’s valuation. Buyers can negotiate for lower prices since they’ll deal with these issues and the possible contingencies of future lawsuits.

Loss of Assets

In current cybercrime incidents, hackers not only steal information and data, but may also destroy records stored in the source. Loss of this data has now become the most critical aspect of the attack and represents 43% of the total financial damage.

Acquirers purchasing a company for its intangible assets like proprietary data may first conduct due diligence to secure the data. They’ll want to ensure that the data and its full scope are available and can be deployed for financial gain.

In case the assets are unavailable, corrupt, and unusable, the buyers may want to walk away from the deal. That’s why dealmakers retain the services of expert cyber teams to investigate the IP and IA to ascertain their value.

Regulatory Compliance Issues

Depending on the business vertical where they operate, companies must stay compliant with relevant regulations. Any non-compliance issues can result in steep fines and penalties that can cripple the company. Investigating potential violations is part of the due diligence process.

For instance, companies operating in the healthcare sector must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This law requires entities to secure sensitive patient personal health information; any breaches can result in fines.

Statistics indicate that in the last three years, from 2020 to 2023, healthcare data breach costs have risen by 53%. Here’s another. After a cybersecurity breach, hospitals must allocate 64% more funding toward advertising in the next two years.

Similarly, businesses in the hospitality sector must maintain the Payment Card Industry Data Security Standard (PCI-DSS). Dealmakers entering into M&A transactions with such agencies need assurance that the collected and stored customer data is secure.

Acquirers may not want to enter into deals where they must assume seller-incurred liabilities. Aside from monetary losses, buyers may have to deal with diminished brand value and loss of customer confidence. Loss of market value and lower revenues and profits are also causes for concern.

Issues like these can cripple the surviving company, making them prime cybersecurity considerations in M&A.

Contingencies for Repairs & Damages

The costs of damage control from a cybersecurity incident can be significant. The loss of assets and proprietary data is only the tip of the iceberg. When acquiring a company, buyers may want to include several contingencies in the merger agreement.

They may insist on setting aside a significant amount of remediation to manage security breaches and regulatory compliance. Not only can these factors affect the company’s price, but they also require indemnifications from the seller.

Acquirers want safeguards against all kinds of risks, including known, unknown, historical, current, and future risks. Accordingly, they will likely engage third parties to conduct a thorough assessment of the target company.

These experts run the company’s systems through penetration and vulnerability testing. Creating a structured and well-planned approach to the cybersecurity due diligence process is crucial. That’s how it will be efficient, effective, and thorough while addressing the risks across all areas.

Information Technology is crucial for all aspects of the business. Thus, it is critical to investigate its role in supporting the company and the value of the data it collects, compiles, stores, and consumes.

Compiling data can also be crucial when you’re considering raising funding for the company. Keep in mind that in fundraising, storytelling is everything. In this regard, for a winning pitch deck to help you here, take a look at the template created by Silicon Valley legend Peter Thiel (see it here) that I recently covered. Thiel was the first angel investor in Facebook with a $500K check that turned into more than $1 billion in cash.

Remember to unlock the pitch deck template that is being used by founders around the world to raise millions below.

Cybersecurity Considerations in M&A – How Due Diligence is Conducted

Here is a detailed, step-by-step process for evaluating a company’s information technology structure for vulnerabilities and cybersecurity risks.

• Screen professional teams for their compatibility with assessing IT and cybersecurity risks.
• Identify the crucial Intellectual Property assets and how they influence the company’s valuation.
• Review the cybersecurity processes and infrastructure for protecting the assets, historically and currently.
• Evaluate the IP and their ownership titles for possible encumbrances on the source code and its usage.
• Check for any data protection regulations and obligations applicable to the business vertical and assess compliance.
• Evaluate the company’s cybersecurity program for sophistication and effectiveness.
• Check with the company’s IT team for any previous cybersecurity incidents or breaches and their resulting impact.
• Investigate any breaches that the team may not be aware of.
• Examine the company’s reliance on third parties for data security and if they are reliable.
• Estimate the scope of the upgrades needed to ensure firewalls and cyber safety measures.
• Assess the potential investment needed to shore up the target’s cyber defense systems. Also, include the possible costs for retraining and reorientation of employees in cyber security.
• Assess the potential complexity of cyber threat integration and the estimated costs to manage risks.
• Evaluate the potential loss of synergies in case the cyber issues are not resolved satisfactorily.
• Gather the results of the evaluations in the previous steps to establish the representations and warranties in the definitive acquisition agreement.

Cybersecurity Concerns in M&A Are Likely to Ramp Up

Cybersecurity concerns will continue to play a crucial role in future M&A transactions. As business landscapes increasingly start to rely on information technology support for their internal and external operations, the threat of cyber attacks gets bigger than ever before.

However, dealmakers can rely on meticulous and thorough due diligence by expert professionals to identify potential risks. Next, they can take steps to resolve the issues and estimate the funds they’ll invest once the deal is closed.

Once the deal concludes, integration and synergies can progress per the results of the investigation during due diligence. That’s how dealmakers can extract the maximum value from the M&A transaction.

You may find interesting as well our free library of business templates. There, you will find every single template you will need when building and scaling your business completely for free. See it here.