M&A Due Diligence in the Digital Age: Cybersecurity and Data Privacy Considerations

SHARE:

In the high-stakes world of mergers and acquisitions (M&A), every detail counts. Consider the high-profile acquisition of Yahoo by Verizon, a case study that underscores the importance of cybersecurity and data privacy during due diligence.

 

In 2017, telecommunications giant Verizon acquired internet company Yahoo and its diverse portfolio of digital properties. Enamored with Yahoo’s potential and the prospect of a transformative deal, Verizon overlooked a crucial aspect of due diligence: Yahoo’s cybersecurity practices and its history of data breaches. This lapse in scrutiny resulted in a costly misstep when it was revealed – post acquisition – that the 2013 data breach did not just affect 1 billion accounts but all 3 billion accounts and that there was another subsequent breach in 2014. This information almost derailed the deal and a value of $350 million was cut from the original purchase price of $4.8 billion. The Verizon-Yahoo saga serves as a crucial reminder of the importance of cybersecurity and data privacy considerations in the due diligence process, especially in today’s digital age.

The Importance of Cybersecurity and Data Privacy

Data has become the new oil, and companies are investing heavily in collecting, storing, and analyzing data to gain a competitive edge. However, this has also made businesses attractive targets for cybercriminals. In 2022 alone it was reported that over 422 million individuals in the U.S.A had their personal data compromised through a company data breach. This reality becomes particularly concerning in the context of M&A activities as a survey revealed that nearly 40% of acquirers discovered cybersecurity issues during the post-acquisition integration.

 

Cybersecurity and data privacy have not just emerged as significant considerations but now command center stage in M&A transactions, illuminating the need for thorough due diligence to safeguard both business value and reputation. A target company’s cybersecurity posture and data privacy measures can significantly impact the value of a deal. A company with robust cybersecurity measures and a strong commitment to data privacy is likely to be more valuable than one with weak protections, which could become a liability post-acquisition.

Cybersecurity Due Diligence is the evaluation of an organization’s cybersecurity measures and risks, typically conducted during mergers, acquisitions, or partnerships. The process assesses vulnerabilities and compliance to inform business decisions and mitigate potential liabilities.

Assessing Cybersecurity Due Diligence

Aside from the Yahoo—Verizon mergers and acquisitions case, another high-profile M&A data breach was the Starwood Hotel and Resorts data breach after Mariott’s acquisition of the company in 2016.  When Marriott set its sights on Starwood, it was captivated by the potential of expanding its global footprint and the allure of Starwood’s loyalty program. However, this focus on attractive benefits led them to overlook a crucial area: Starwood’s cybersecurity measures.

Unbeknownst to both parties, Starwood had suffered a significant data breach in 2015, one year before the acquisition, and it was reported that the breach was ongoing even as the merger was taking place. The situation only came to light in 2018, two years after the acquisition, when Marriott discovered unauthorized access to Starwood’s customer database. The breach exposed the personal data of approximately 500 million Starwood customers, leading to hefty regulatory fines for Marriott and severe reputational damage.

Most companies who get into the deal making of mergers and acquisitions focus on conventional areas of due diligence such as the company’s financial health, business model, and growth potential. They even delve into its legal compliance and operational efficiency, ticking off the usual checkboxes on an acquisition due diligence checklist. However, most companies miss a rapidly growing area of concern – a company’s cybersecurity measures or their vulnerability to cyber threats. Even with high-profile data breaches moving towards an alarming norm in mergers and acquisitions, less than 10% of deals practice cyber due diligence during the M&A process.

In every transaction, M&A professionals should take a proactive, risk-based approach to cyber due diligence, assessing a target’s cybersecurity posture which measures the potential risk exposure of an organization.  This includes examining the target’s overall IT infrastructure, the configuration of network devices and firewalls for defense against unauthorized access, cloud security policies and configuration drift, and even their application risk scores and open-source dependency vulnerabilities and data encrypting configurations and role-based access management policies. Moreover, it is vital to understand the target’s compliance with relevant cybersecurity regulations and standards, such as the GDPR, NIST, or the ISO 27000 series.

Data Privacy Due Diligence involves assessing how an organization collects, stores, and manages personal and sensitive data. Conducted typically during mergers, acquisitions, or partnerships, it aims to ensure compliance with privacy laws and regulations, thereby reducing legal and operational risks.

Data Privacy Considerations During Due Diligence

While cybersecurity focuses on defending data from unauthorized access, data privacy is concerned with how data is legally collected, stored, used, and shared. It goes without saying that data privacy goes hand in hand with cybersecurity. Ensuring compliance with data privacy laws is not just about avoiding hefty fines; it’s also about preserving customer trust and being transparent with how a customer’s data is used. A company that fails to protect its customers’ data is likely to lose their trust, which can have long-lasting impacts on the business.

For instance, consider Facebook’s acquisition of WhatsApp in 2014. At the time of the acquisition, WhatsApp was highly regarded for its strong commitment to user privacy. However, post-acquisition, Facebook modified WhatsApp’s privacy policy, intending to share WhatsApp user data with Facebook. This resulted in substantial backlash, regulatory scrutiny, and a substantial fine from the European Union for providing misleading information during the merger review process. The case exemplifies the potentially severe consequences of overlooking data privacy considerations during M&A transactions. Though the deal did push through, WhatsApp users were disappointed with the outcome, and it cost Facebook quite a sum.   

In data privacy due diligence, M&A professionals should review the target’s data collection and handling practices, data privacy policies and other disclosures, information security policies and procedures, and compliance with data privacy laws in regions or industry’s where they operate. Such region specific regulations may include the EU GDPR, California’s CCPA or for industry specific policies, the HIPAA in healthcare. Data privacy due diligence should also include cross-culture and geographic considerations for international data transfers to ensure compliance with data laws in each country.  This process also involves evaluating the cultural fit between the acquiring and target companies in terms of their privacy philosophies. In situations where the target company has made strong commitments to user privacy, as in the case of WhatsApp, the acquiring company should respect and uphold these commitments to avoid potential reputational damage and regulatory backlash.

Conducting thorough data privacy due diligence allows potential liabilities related to data privacy to surface, empowering organizations to take proactive measures before finalizing the deal. This detailed assessment helps avoid post-acquisition surprises such as non-compliance with data privacy laws, which could depreciate the acquisition’s value and tarnish the reputation of the acquiring firm.

Final Thoughts: Navigating Cybersecurity Due Diligence in Mergers and Acquisitions

There is a real need for rigorous cyber due diligence in today’s M&A deals. As we navigate the digital age, cybersecurity and data privacy due diligence are transitioning from optional add-ons to integral elements of a successful acquisition process. This transition includes meticulously evaluating a target’s cybersecurity posture, data privacy practices, and adherence to applicable regulations, thereby safeguarding the transaction’s value and the reputation of the acquiring firm.

 

By drawing lessons from real-world cases such as Verizon-Yahoo, Marriott-Starwood, and Facebook-WhatsApp, companies can adopt a more comprehensive, risk-oriented approach to cyber due diligence. Although these cases each present unique circumstances, their collective message to all organizations is clear: In the digital era, the success of M&A transactions is intrinsically tied to a comprehensive and risk-oriented approach to cybersecurity and data privacy due diligence.

 

Armed with these insights, deal makers are well-positioned to incorporate more robust due diligence practices in future transactions. Recognizing the significance of cybersecurity and data privacy is not just an act of compliance, it’s a strategic step towards ensuring success in future M&A transactions. It’s about transforming challenges into opportunities, and risks into informed decisions. This understanding is the very foundation of the new M&A landscape, a pivotal cornerstone in navigating the complexities of an increasingly digital world.

TAGS:

Stay up to date with M&A news!

Subscribe to our newsletter

    Are you sure you
    want to log out?

    In order to become a charterholder you need to complete one of the IMAA programs