cyber-security-implications-in-an-acquisition

Cyber security continues to be a major issue for businesses worldwide. A report released by the Center for Strategic and International Studies and sponsored by global security software provider McAfee estimated that cybercrime has more than a $400 billion impact to the global economy each year. In the past year alone, two of my clients told me they were either hacked or were lucky enough to discover a fraudulent bank wire just before it was sent.

Just think of the potential risks if your business is targeted:

  • Reputational – Will customers continue to trust you with their sensitive data? If employee data is seized, do you need to purchase credit monitoring for each employee?
  • Real financial losses – These can include cash, critical business information, intellectual property, increased security costs, credit monitoring costs, and public relations/crisis management costs.
  • Opportunity – If you are hacked, senior executives will spend a considerable amount of time dealing with the after effects, a distraction which will impact future business.

While these risks are fairly well-known, one cyber security risk you might not necessarily think of is how it may impact your acquisition plans – whether you are on the buy side or the sell side. However, the recent news of a major Yahoo data breach offers some valuable lessons.

In July, Verizon announced its acquisition of Yahoo in a $4.8 billion transaction. However, after the merger announcement was made, Yahoo made its own announcement that it had experienced a data breach two years ago, with more than 500 million user names and passwords being compromised.

On the buy side, the news was significant enough to leave Verizon’s shareholders wondering whether the merger will be even completed. Those in charge of due diligence for Verizon will certainly be under fire for not identifying the potential liability. Some have even suggested that Verizon will request as much as a $1 billion discount on the previously agreed-upon price, and I suspect that the representations and warranties in the proposed merger agreement will contain a lot more about cyber security.

On the sell side, the breach has left Yahoo with a serious black eye. There are questions about the integrity of Yahoo’s management; why did it take two years to identify the breach and was anyone in management aware of it prior to the merger agreement? Senators have already requested a public hearing on why it took Yahoo so long to disclose the breach.

Plus, as a data-driven company, how could Yahoo allow its most valuable asset to be hacked? How many Yahoo accounts have been closed subsequent to the announcement? And will Yahoo’s shareholders sue the company and management for any losses sustained?

If your company maintains sensitive data and you are considering a sale, or if you’re looking to purchase a company with such data, you’ll want to make cyber security part of your plans to avoid the situation in which Verizon and Yahoo now find themselves. My cyber security colleagues here at Kreischer Miller recommend that at a high level, you consider the following:

  • Perform an annual vulnerability assessment to better define potential risk factors
  • Control access to computers, both internally and externally.
  • Create access controls so users only access data they need.
  • Create logs of who is accessing data.
  • Verify that security protocols and software are up-to-date.
  • Educate and train your employees on cyber security risks and how to avoid them.
  • Create a plan in case you are hacked.
  • If purchasing a company,
    • Review the buyer’s cyber security controls.
    • Consider hiring a professional to review the controls and verify there is no evidence of a breach.
    • Make sure the representations and warranties in the contract adequately address cyber security and the potential liabilities.

Given how hard it is to track down cyber security criminals and recoup losses, management needs to be aware of the risks and establish appropriate controls to mitigate the chance of sensitive data being breached.

 

David Shaffer, Kreischer MillerDavid E. Shaffer is a director with Kreischer Miller and a specialist for the Center for Private Company Excellence. Contact him at Email

 

 Subscribe to the blog

You may also like: