The final post in our series highlighting our 2017 Cybersecurity Predictions is about the increasing awareness of the importance of conducting pre-deal cybersecurity due diligence in M&A transactions. Conducted alongside traditional financial, management and compliance due diligence activities, cyber due diligence can uncover security vulnerabilities within a target company’s products, technology infrastructure, or security program that can impact deal terms, valuation and post-closing conditions. Awareness of this critical pre-deal assessment is beginning to take hold among some M&A teams, but there is still a long way to go before it becomes standard practice. Read on to learn more about how we believe this prediction will play out over the course of the next year.
The financial services industry will be the early-adopters of making cybersecurity due diligence a critical part of the pre-M&A due diligence process, learning from high profile transactions that were derailed in 2016 following the exposure of cyber vulnerabilities. While 2017 will likely see one to two additional high profile instances that impact the deal process outcome, only the financial services industry will react accordingly and conduct judicious cyber assessments.
In 2016, pharmaceutical company Abbott Laboratories’ $5 billion deal to buy global medical device company St. Jude Medical was blackened by allegations of cybersecurity vulnerabilities in its products. In August, a few months after St. Jude agreed to be purchased by Abbott, short-selling firm Muddy Waters announced its short position on St. Jude after receiving a report by cybersecurity firm MedSec claiming the company’s cardiac devices are vulnerable to cyberattacks. Muddy Waters widely promoted its position and other notable short sellers began claiming that shares of St. Jude Medical could drop sharply if the takeover by Abbott Laboratories fell apart.
In 2017 we expect the financial services industry to adopt cutting-edge due diligence techniques such as searching the dark web for company data, seeing if employees are using their work email to set up online accounts, reviewing external facing intellectual property (IP) for evidence of persistent malware attacks, and talking to employees and former employees about how operations actually work with regard to information security.
Acquiring companies will use these insights to assess the acquisition targets’ cyber abilities and cybersecurity histories, and use the subsequent discoveries to adjust purchase price and terms.
Financial services will continue to be the early adopter in understanding and mitigating the impact of connectivity on broader enterprise risk, shifting the emphasis of cybersecurity due diligence from post- to pre- M&A. Broadly, however, most organizations will not go into 2017 learning from 2016’s M&A mistakes. It will take additional high profile deals to be impacted negatively by cybersecurity issues before cyber due diligence in pre-deal negotiations is taken seriously.
To watch our recent webinar discussing this and our other 2017 Cybersecurity Predictions, CLICK HERE.
To learn more about how Stroz Friedberg can help your company conduct cybersecurity due diligence, CLICK HERE