Executive Perspectives

Net Gains or Net Losses: How Cyber Security Impacts M&A

Business_Descending Spiral Staircase_Color_Hi
For organizations around the world, mergers and acquisitions continue to be one of the core paths to grow a business and expand into new markets. In the U.S., just during April and May there were almost two thousand M&A events, while in Asia Pacific, M&A activity reached a record $367.7 billion during the first six months of 2015. The numbers are equally impressive elsewhere in the world. In Europe, M&A activity increased by 37% over the first six months of 2015. Add to that Bloomberg Business’ forecast that M&A activity in Europe will climb more than an additional 14% over the next six months, and you see that M&A activity is as robust as it is universal.

That’s a lot of activity. How does cyber security fit in?

A compromised organization presents two major threats that can significantly change the value of an acquisition target:

First, if a company is an acquisition target based on the value of their intellectual property, a compromise could mean that valuable intellectual property is no longer exclusively theirs. Once a breach occurs, competitors could already have the most valuable data and it could impact the value of acquiring the company.

Second, if an attack group has breached an organization, once the acquisition process begins, it becomes significantly easier for the attack group to gain access to the systems across both companies. This can be in through social engineering of email-based attacks coming from new “trusted” contacts, or as IT systems are integrated technical barriers are removed that make lateral movement easier.

The worst-case scenario of acquiring a compromised organization is losing the competitive advantage of making the acquisition and compromising your organization in the process.

When due diligence is undertaken a great deal of research goes into to understanding the market, assets, people, liabilities, customers, and technology of the target organization. But one question usually isn’t asked: “Is this organization breached?

And that’s a really valuable question to ask. Because when you know if the target is breached, it may change the value of the target. And it may alter the perception of shareholders, regulators and the board as to whether they should acquire that company.

If the value of the acquisition is tied to the intellectual property it holds, is that IP as valuable if attackers may have stolen it? If the value is tied to the confidentiality of the customer base, is that reduced if the customer data may be for sale on the dark web?

Most successful businesses place a significant value on their brand and reputation. In 2014, many of the top brands in the world had a greater value than their annual revenues. If the reputation of your brand is damaged by a cyber security breach, it could have a significant impact on the balance sheet. And if you acquire a breached company before the breach becomes public, when it does become public the breach could damage your (now combined) companies’ reputation and brand equity. 

In a recent study of Global M&A deal makers, 78% believe cyber security is not analyzed in great depth during due diligence. This despite 83% reporting they believe a deal could be abandoned if a cyber security breach was identified, and 90% saying a breach would reduce the value of the deal. In Europe, 39% of respondents believe cyber security inspection should be part of due diligence, rising to 51% in the U.S.

But no matter where you’re based a compromise assessment should be a basic part of your M&A process. This can give you assurance that the target acquisition is not currently breached, that you aren’t acquiring a target that could compromise brand, IP or data. It can also give you a powerful lever in negotiations over the value of the business. The cyber savvy executive really can make money using bad news about a cyber breach. A compromise assessment could give you the best return on investment in your business career.