Cyber risk in deals

Hidden cybersecurity threats can deal a serious blow to any merger plans

Just months after it closed a deal last summer to acquire payment processor TIO Networks, PayPal had to suspend operations at the processor when it uncovered a breach of its systems that exposed the data of as many as 1.6 million customers. A year earlier, the theft of data for 3 billion Yahoo! accounts cost the Verizon-Yahoo! deal $350 million.

M&A deals expose companies to significantly heightened cyber risk, as the target company’s technology infrastructure is an important part of the package. If that infrastructure is infiltrated, or the intellectual property has been stolen, the acquirer takes over those problems.

“We’re just starting to see cyber impact deal valuations, and that trend will accelerate,” said Jacob Olcott, Vice President of business development at BitSight Technologies, which rates companies’ cybersecurity. “Acquirers don’t want to be caught unaware.”

Both Verizon and PayPal were caught flat-footed, and forced to acknowledge publicly that they didn’t know they’d bought – or were about to buy – damaged goods. The first New York Times article in September 2016 on the Yahoo! breach called into question Verizon’s cyber due diligence and questioned how the revelation would affect the value of the deal. A Verizon spokesman was quoted as saying that Verizon had learned of the breach just two days prior and had “limited information and understanding of the impact.”

PayPal faced similar harsh scrutiny on the wisdom of its decision to buy TIO Networks. PayPal didn’t create the mess, but headlines made it clear who owned it: “PayPal subsidiary … ,” “PayPal-owned company …,” “PayPal’s TIO Networks ….” A taunting USA Today headline went further: “PayPal shelled out $238 million for company that may have had 1.6 million customers breached.”

Such risks are a global threat. Shortly after Australian mobile phone provider Telstra completed its acquisition of network and data provider Pacnet in 2015, it learned that Pacnet had discovered a breach while negotiating the deal and didn’t disclose it.

Uber, too, faced an investor-related challenge after its apparent effort to cover up a high-profile cyber breach that compromised the data of 57 million rider and driver accounts. The rideshare company’s valuation declined sharply after the breach. SoftBank initiated its effort in November to buy a significant stake in Uber at a valuation of $48 billion, 31 percent below the $70 billion valuation from its previous funding round, The New York Times reported.

Increasingly, corporate bidders are weighing cyber risk in their valuations of prospective targets. A 2016 New York Stock Exchange and Veracode survey found 22 percent of company directors say that they would not acquire a company that had a high-profile data breach. Further, half of all respondents in a 2016 Brunswick Insight survey said they would trim their valuation in situations where the target company had been breached – whether the breach was discovered before, during or after the merger. As a result, more companies are relying on technical due diligence, reputational preparedness and tailored insurance services to protect their reputations and bottom line.

The best way to mitigate cyber risk in an M&A transaction is to reduce the potential for surprise by uncovering and addressing cyber issues before they’re uncovered for you – and ensuring a quick and capable response. Tailored cyber insurance can help manage the financial risk by guarding against a steep drop in valuation.

To safeguard both companies’ reputations, contingency plans should be developed to guide their public responses in the event that a breach is uncovered. After the deal closes, the combined company should assemble a response playbook in the event of different types of cyber incidents. Such a playbook has the added benefit of helping the newly combined leadership team identify and work through strategies, roles and responsibilities.

A cyber education campaign for employees is also critical and can serve to establish a common goal for the combined corporate culture. By some estimates, more than 90 percent of cyberattacks begin with a malicious “phishing” email sent to employees that carries invasive email attachments or links laced with attack software.

In addition to other sensitive data, hackers often seek non-public M&A information that they can use for a quick profit on the market. In 2014, cybersecurity firm FireEye found hackers targeted more than 100 companies, investment advisers and law firms to uncover anything related to deals. In 2016, the State of New York arrested three hackers who obtained sensitive, non-public information on at least 13 pending deals and used that information to conduct insider trading.

For companies that engage in M&A, the greatest benefit of investing in a strong cybersecurity governance program is that it allows you to move deals forward with greater confidence.

It will also yield benefits down the line – Brunswick Insight’s survey found half of the investor respondents would increase their valuation of companies that work to mitigate cyber risk during a deal.


Siobhan Gorman, a Partner, advises on public affairs and crisis, with a focus on cybersecurity and privacy.
Andrew Gernt is an Associate. Both are based in Brunswick’s Washington, DC office.