There appears to be a worrying level of complacency toward the assessment of cyber-risks during M&A deals, despite increasing awareness of the cybersecurity risks facing businesses.
International law firm Freshfields Bruckhaus Deringer found in a survey shared with Infosecurity that 90% of respondents believe cyber-breaches would result in a reduction in deal value; and 83% of dealmakers believe a deal could be abandoned if cybersecurity breaches are identified during deal due diligence or mid-transaction.
Yet, too few tie-up architects are addressing the threat. A majority (78%) say that cybersecurity is not a risk that is currently analyzed in-depth or dealt with in deal due diligence.
“It’s surprising that dealmakers recognize the growing threat of cyber-attacks to businesses, but generally aren’t addressing that risk during deals,” said Chris Forsyth, co-head of the firm’s international cybersecurity team. “You wouldn’t dream of buying a chemicals plant without assessing environmental risk, so why would you buy a data-driven business without assessing the risks its faces around data management and cyber-security?”
The firm said that the effect of a cyber-incident on value would work both ways – a business with a good track record and robust processes could be worth more than competitors, while a business with a bad track record could be worth less.
Dealmakers’ top concerns include targets suffering cyber-attacks during deal discussions, the target being a proven victim of data or intellectual property (IP) theft by cyber-attack, and evidence of a target not handling a past breach effectively (leading to fines, damage to reputation etc.). Interestingly, acquirers (30%) are most concerned about cybersecurity issues derailing transactions, whereas 81% of sellers are unconcerned or only slightly concerned about the risk of derailment.
“It is odd that most respondents to the survey said they were concerned about cybersecurity risks, but that most respondents aren’t actually doing anything about them during an M&A process,” said Forsyth. “One possible explanation is that it is a relatively new area that is not well-understood, and buyers are hesitant about how to tackle it.”
However, awareness of the threat posed by cyber-attacks is growing, according to the survey, with 82% of dealmakers saying that the risk of cyber-attacks will change deal processes over the next 18 months.
The survey also reveals that more North American respondents (51%) than European (39%) have seen cybersecurity become a key part of due diligence in the last year. Further, the US has seen more suppliers and counterparties audited (38% to 22%), more internal cybersecurity specialists appointed (33% to 17%) and more external cybersecurity consultants engaged to review risks (28% to 17%).
“Differences in cultural attitudes and the perception of cyber risk may be reflective of the varying levels of exposure to follow-on litigation and class actions in the US compared with Europe,” said Jane Jenkins, co-head of the firm’s international cybersecurity and defense teams. “While the environment is starting to change, there is still much more emphasis on transparency in the US than in Europe, with the SEC threatening enforcement action against companies for failure to notify cyber-breaches.”
Investors and corporates are starting to wake up to cyber-risk. As demonstrated in the Target breach, more companies are being penalized by shareholders for being a victim of an attack and executives are having to step down as a result.
Edward Braham, global head of corporate, added, “The message to dealmakers – whether buyer or seller - is to evaluate cyber-risk in the same way they would any other risk that could affect the value of a target. Cyber risk presents a significant threat to the operations, reputation, and the bottom line of virtually every company, regardless of industry. While market practice is still developing in this area, buyers can use an M&A process to understand better the cyber risk a target faces.”