42013526 - Horizons - Q4_v04c

HORIZONS | BDO'S GLOBAL VIEWOF MIDMARKET DEAL ACTIVITY 03

CYBER RISK

OUT OF THE SHADOWS ¦ IS IT TIME TO MAKE CYBER RISK MORE CENTRAL IN DEAL MAKING?

Increased cyber threats across the world have meant that cyber due diligence has become an indispensable part of the M&A deal-making process.

The natural conclusion for companies then, especially those acquiring other companies, is to carry out effective cyber due diligence and ensure that they are not exposing their business to new threats. As an example, in 2017 Yahoo disclosed three data breaches during the negotiation process to sell its internet business to Verizon. As a result, during the negotiation process Verizon managed to reduce the purchasing price by USD 350m, with Yahoo assuming 50% of any future liability arising from those data breaches. The Yahoo example highlights perfectly how crucial cyber due diligence can be and the tremendous impact it can have on M&A business goals and outcomes. Leaving aside issues like how and whether Yahoo was capable of avoiding these data breaches in the first place, the acquiring party has to follow some guidelines in its cyber due diligence process to protect its interests and be able to identify and manage the risks as early in the process as possible to avoid the last minute pressures of signing the deal.

The rising number of cyber threats and major cyber incidents, many of which have severely impacted business operations, are leaving companies with no other choice but to integrate cyber into their due diligence processes. No one wants to buy or merge with a 'hot potato' which may cast a shadow over the deal and potentially affect stakeholder value. Business integrations that overlook cyber risks are the perfect incubators for malicious capabilities and intentions. The complex and gradual integration processes in M&A deal-making tend to leave blind spots for cyber threats, creating perfect opportunities for malicious actors to play their 'plot'. In some cases, we have witnessed compromised networks and systems from one side of a merger or acquisition propagating into the other side’s network. These type of threats, which are often very hard to identify, may lay dormant in a business for months and sometimes even years.

Made with FlippingBook HTML5