Blog

2017 Prediction: Industry first-movers embrace pre-M&A cybersecurity due diligence

Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

2017 Prediction: Industry first-movers embrace pre-M&A cybersecurity due diligence

The final post in our series highlighting our 2017 Cybersecurity Predictions is about the increasing awareness of the importance of conducting pre-deal cybersecurity due diligence in M&A transactions. Conducted alongside traditional financial, management and compliance due diligence activities, cyber due diligence can uncover security vulnerabilities within a target company’s products, technology infrastructure, or security program that can impact deal terms, valuation and post-closing conditions. Awareness of this critical pre-deal assessment is beginning to take hold among some M&A teams, but there is still a long way to go before it becomes standard practice. Read on to learn more about how we believe this prediction will play out over the course of the next year.

The financial services industry will be the early-adopters of making cybersecurity due diligence a critical part of the pre-M&A due diligence process, learning from high profile transactions that were derailed in 2016 following the exposure of cyber vulnerabilities. While 2017 will likely see one to two additional high profile instances that impact the deal process outcome, only the financial services industry will react accordingly and conduct judicious cyber assessments.

In 2016, pharmaceutical company Abbott Laboratories’ $5 billion deal to buy global medical device company St. Jude Medical was blackened by allegations of cybersecurity vulnerabilities in its products. In August, a few months after St. Jude agreed to be purchased by Abbott, short-selling firm Muddy Waters announced its short position on St. Jude after receiving a report by cybersecurity firm MedSec claiming the company’s cardiac devices are vulnerable to cyberattacks. Muddy Waters widely promoted its position and other notable short sellers began claiming that shares of St. Jude Medical could drop sharply if the takeover by Abbott Laboratories fell apart[1].

In 2017 we expect the financial services industry to adopt cutting-edge due diligence techniques such as searching the dark web for company data, seeing if employees are using their work email to set up online accounts, reviewing external facing intellectual property (IP) for evidence of persistent malware attacks, and talking to employees and former employees about how operations actually work with regard to information security.

Acquiring companies will use these insights to assess the acquisition targets’ cyber abilities and cybersecurity histories, and use the subsequent discoveries to adjust purchase price and terms.

BOTTOM LINE:

Financial services will continue to be the early adopter in understanding and mitigating the impact of connectivity on broader enterprise risk, shifting the emphasis of cybersecurity due diligence from post- to pre- M&A. Broadly, however, most organizations will not go into 2017 learning from 2016’s M&A mistakes. It will take additional high profile deals to be impacted negatively by cybersecurity issues before cyber due diligence in pre-deal negotiations is taken seriously.

To watch our recent webinar discussing this and our other 2017 Cybersecurity Predictions, CLICK HERE.

To learn more about how Stroz Friedberg can help your company conduct cybersecurity due diligence, CLICK HERE

[1] CNBC, Fox, Michelle, “Muddy Waters’ Carson Block says St. Jude Medica shares could fall to $55,” August 26, 2016. http://data. cnbc.com/quotes/STJ

Legal

Our lawyers don’t want to miss out on the fun and would like you to know that all of the posts are the opinions of the individual authors and don’t necessarily reflect the opinions or positions of Stroz Friedberg. The ideas and strategies discussed herein may not be appropriate for any one reader’s situation and are not meant to be construed as advice.

Risk Areas:

I am: Legal + Compliance-focused, In the C-Suite or a Director

Tags: cybersecurity predictions, cyber due diligence, M&A Transactions

Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.