AI Magazine Issue 3 2018

Acquisition International - Issue 3 2018 55 Philip Whitchelo, Vice President, Strategy & Business Development, Intralinks &A dealmakers are becoming increasingly concerned about cybersecurity. According to recent analyst predictions, cybersecurity ratings will soon be as important as credit ratings when it comes to assessing the risk of business relationships, with cybersecurity postures considered a critical factor in the due diligence process of the majority of organisations engaging in mergers and acquisitions. This shouldn’t come as much of a surprise; a deliberate leakorhackcanpotentially jeopardise,exposeorstallthe M&Aprocess and, by negatively affecting perceptions of an organisation’s accountability and reputation, even affect the value of the deal. By way of illustrating the issue, browsing the business pages over recent months reveals how several ongoingM&Aprocesses have been impacted by incidents related to cybersecurity. For example, months before it considered acquiring Twitter, an email hack revealed Salesforce’s potential M&A targets, none of which was the social media giant. Most companies will have such a list, but very few will have it made publicly available in this way. The revelation that Yahoo! had experienced the biggest data breach on record, in which more than a billion accounts were compromised, had a direct financial impact on Verizon’s agreement to buy its core internet business for US$4.8 billion when the telecommunications giant subsequently demanded better terms before signing the deal. And an attack on undersea cable company Pacnet’s corporate IT network weeks before the company was acquired by Telstra, saw the Australian telecommunications firm having to cover the costs of the damage. It’s clear from examples such as these why M&A practitioners need to understand the impact a significant data breach could have on a target company’s valuation, particularly if buyers drop out as a result. With the volume of security threats continuing to mount, and in light of increasing data privacy regulations, organisations should whatever they can to preserve the value of their deals. Impact on deal value Intralinks recently surveyed 3,182 worldwide M&A dealmakers, and found that the value of deals could decrease significantly should the target company’s data be breached. According to the survey, around half of dealmakers (48%) believe bidders would be likely to reduce their valuation of a target by between five and 20 percent. One in five said they believed a bidder would walk away from the transaction entirely. The survey also revealed that around a quarter of dealmakers (24%) Company: Intralinks The Evolving State of Cybersecurity in the Financial Sector M Intralinks expect cybersecurity issues will cause a greater number of deals to fail over the next six months than in the previous six. Due to a growing awareness of cyber threats and the potential harm they could cause to the M&Aprocess, an increasing number of dealmakers are now employing external cybersecurity experts, offering them peace of mind by evaluating a target company’s security measures as part of the due diligence process. Measures such as this are leading to changes within the due diligence process; changes that are likely to continue. Standardising cybersecurity across the EU A combination of an increase in high-profile data breaches, and pending data privacy regulations such as the EU’s General Data Protection Regulation (GDPR), will significantly broaden the scope of M&Adue diligence. In addition to the traditional legal, financial, commercial, environmental and HR aspects, acquirers and targets alike will now need to consider new “digital” or “cybersecurity” due diligence. Set to come into force in May, the GDPR will play an especially important role in standardising the level of cybersecurity across the EU. Without the appropriate technical and organisational measures in place to protect the personal information it holds, an organisation risks being non-compliant with the new regulation, and could therefore be subject to large financial penalties. As a result, should an acquiring company fail to carry out appropriate due diligence on a target, it could find itself taking on a considerable additional risk. Carrying out digital due diligence Given its importance, acquirers must now consider just how to carry out digital due diligence, and what their advisors and corporate development teams should be aware of as cybersecurity continues to attract greater scrutiny. Abuyer will want an assurance from the target company that appropriate steps have been taken to protect confidential information from being breached, and that it is compliant with existing and upcoming data privacy regulation. The target will need to be subject to a cybersecurity risk assessment who, in order to remain attractive, should do what they can to make this process as easy as possible for the acquirer. High-profile data breaches continue to make the headlines on an almost daily basis, and with the implementation of the EU GDPR only a matter of months away, M&A dealmakers must now recognise the important role a target company’s cybersecurity readiness plays in an acquirer’s due diligence process.