Merger and acquisition (M&A) activity continues to accelerate as 2019 progresses, both in terms of volume and value of M&A deals. Deloitte research found 79 percent of organizations expect merger activity to grow in the coming year, up from 70 percent that said the same for 2018.
While corporate mergers can drive business growth, they are also rife with risks and disruption for organizations, from a reshuffling of executive teams to problems with integrating complex, siloed systems from one company into another.
The average value of M&A deals is on the rise, but there's another trend brewing in the corporate community: the rising cost of cyberattacks. According to experts, cybersecurity is becoming an increasingly difficult hurdle to clear during a merger.
"Companies can't afford to drop the ball on cyber risk, which is why conducting cyber risk due diligence has become an essential part of the M&A process," wrote Deloitte in a separate report, which urges companies to develop a cybersecurity strategy prior to any merger.
One of the largest security challenges of an acquisition stems from the risk exposure an acquiring company faces if it has not fully assessed the cybersecurity strength of its acquisition target.
"Otherwise," the American Bar Association explained in an article, "the acquirer in an M&A transaction is at risk of buying the cyber vulnerability of the target company, and assuming the damage and liability from incidents it suffers."
Business Partners At Risk
Businesses are becoming increasingly aware that their systems do not exist in a vacuum. Cyberthreats exist throughout supply chains and business networks, and one supplier that experiences a data breach can result in the exposure of sensitive corporate data at businesses other than that supplier itself.
Such cases have been reported at Ticketmaster U.K., which suffered a data breach last year as the result of a cybersecurity incident at a third-party vendor. T-Mobile's breach in 2015 that compromised the data of 15 million customers was the result of a third-party security lapse, too. Furthermore, Opus researchers said 59 percent of companies that have experienced a data breach noted it was the result of a cyber incident at a third-party vendor or business partner.
With merger and acquisition activity accelerating, organizations will need to increase awareness of their cyber risk exposure resulting from business acquisitions.
Researchers at PwC also warned that lapses in cybersecurity strategy can expose the acquired companies to risks, too, namely the risk of reduced valuation of a takeover deal. In a report last year, PwC pointed to Yahoo's takeover by Verizon, a deal that saw a 7 percent price cut after Yahoo disclosed two significant data breaches.
"In addition," PwC said, "the part of Yahoo that wasn't sold to Verizon agreed to assume 50 percent liability from any future lawsuits related to the data breaches."
Eighty percent of global dealmakers told PwC that they have found data security issues within a potential deal, and said at least one-fourth of their acquisition targets have been companies with some type of cybersecurity issue. While a cyber incident is more likely to delay an M&A deal, rather than lead to a cancellation outright, increased costs and liability for both parties are becoming a significant challenge in the M&A market today.
Complicating matters is the complexity of quantifying the risks each side of an acquisition deal faces, according to Milliman's Chris Harner, executive risk consultant, and Lisa Henderson, chief strategist of casualty products and InsurTech consulting.
"The more capable a buyer is in measuring all risk, the greater advantage it has during M&A negotiations," they wrote in a report last year. "Cyber exposure, by contrast, is uncharted territory. It is new, growing and represents a daunting array of potentially very expensive risks within a context of mostly unknown factors."