Unreported data breaches have disrupted several major M&A deals in recent years, including Marriott International’s merger with the Starwood hotel chain, TripAdvisor Inc.’s acquisition of Viator Inc., and the Verizon-Yahoo Inc. deal.

When the breaches came to light, they proved costly. Yahoo was devalued by more than $350 million and Verizon became embroiled in a massive class action suit. TripAdvisor shed $580 million in market capitalization. Marriott’s stock took a big hit after the breach was disclosed and the company is still dealing with the fallout, which is believed to have exposed millions of unencrypted and encrypted passport numbers of hotel guests.

The growing list of cautionary tales appears to be making an impression. A new survey of 2,700 information technology professionals and business executives from around the world shows that 93% of respondents view cybersecurity evaluations as important to their company’s M&A decision-making.

Participants in the study from Forescout Technologies Co. in San Jose, California, also ranked a target company’s history of cybersecurity incidents as the second-most important factor when performing due diligence on the business. Unsurprisingly, the company’s financial statements took top priority.

Slightly more than half of the participants reported that a “critical cybersecurity issue or incident” had jeopardized an M&A deal involving their companies.

“What I hope people wouldn’t take away from this is that it’s only half of the cases that run into an issue like this,” said Joseph Castelluccio, a partner in Mayer Brown’s New York office and a member of the firm’s corporate and securities practice.

“I don’t think only 50% of the companies that do M&A need to worry about this,” he added. “I think 100% of the companies that do M&A need to worry about this.”

While cybersecurity is a concern, it often takes a back seat to other due diligence issues. Only 36% of respondents “strongly agree” that their IT teams are given sufficient time to review a target company’s cybersecurity standards, according to the study.

“These acquisitions are announced after the deal is nearly completed. The IT and cybersecurity sides, unfortunately in a number of instances, are brought in after the financial and regulatory due diligence is done,” said Rocco Grillo, managing director of global cyber risk services at the New York consulting firm of Alvarez & Marsal.

“Companies are racing to be compliant, whether for business purposes or regulatory requirements. But make no mistake about it, compliance doesn’t equal security,” Grillo said. He added that having strong cybersecurity protocols “comes back to the tone at the top, executive sponsorship” and giving IT professionals a seat at the table with business leaders.

When a company is considering acquiring a business that has unsophisticated or questionable data protection practices, it’s best to approach the deal as if a breach has occurred and take precautionary measures until more thorough due diligence can be done, according to Castelluccio.

“That may mean not integrating systems right away,” he said.

Aside from preparing for potential hidden data privacy issues, companies also need to realize that their data is more vulnerable during the M&A process. As soon as the deal is announced, cyberattackers know that sensitive information is being transmitted between the companies. And a new group of employees and third parties will also have access to that data, increasing the risk for human error.

“This isn’t just a technology or financial services issue. This is something that legal and compliance teams care about,” Castelluccio said. “Frankly, there are few things that will land you on the front page of the newspaper or going viral across Twitter than your company being the latest victim of something like this.”

Other findings from the report include:

  • 81% of respondents said they were more concerned about a target company’s cybersecurity practices than they had been in the past.
  • 73% said uncovering a previously undisclosed data breach during the M&A process would be an “immediate deal breaker.”
  • 65% said unforeseen cybersecurity issues had caused their companies to have buyer’s remorse in the wake of an acquisition.


Reprinted with permission from the June 28, 2019 edition of Corporate Counsel © 2019 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.