The Management Series

To sign up for our newsletter, please click here.

May 2018

Step Up Cyber-Security Scrutiny During M&A Efforts

Well before you launch a takeover bid, make sure you have assembled a large and skilled team that can probe a target’s vulnerability to cyber attacks and search for evidence of previously undetected breaches of sensitive information.

Otherwise, you could end up being the not-so-proud owner of massive liability due to the release of customer information or equipment and software that allows hackers to make off with company secrets and intellectual property, The Wall Street Journal reports in “Due Diligence on Cybersecurity Becomes Bigger Factor in M&A.” (Subscription needed.)

And don’t feel safe if you made a deal that seems to have gone smoothly so far. Costly problems can crop up years after an acquisition.

“FedEx Corp. moved quickly [in February] to secure a server that exposed data from customer driver’s licenses and passports. FedEx inherited the server when it bought e-commerce service Bongo International in 2014,” according to the newspaper.

“Gaps in data protection, undiscovered breaches, regulatory violations and other holes in a company’s technology operations can threaten transactions,” the Journal says. “Such problems can also decrease the value of a deal or leave an acquirer liable for problems after a merger.”

For example, Verizon renegotiated its deal to take over Yahoo after it learned Yahoo suffered a breach exposing sensitive details of billions of accounts. Verizon did studies to “assess potential reputational harm and future risks” before deciding to pay $350 million less than the original agreed-upon price of $4.83 billion, the article says.

The Journal focuses on the different approaches companies take to assure that targets do not pose an undue cyber risk.

Automatic Data Processing assembles teams of cyber-security, risk management and financial-crime specialists capable of assessing everything from the security of hardware and software to the soundness of security practices and training, the newspaper says. Home Depot’s evaluations include penetration tests.

Waste Management “doesn’t dedicate a team to cyber issues during the diligence phase. The company instead focuses on the later stage of moving data from the target’s systems into its own,” the article says.