In the post-COVID-19 economy, cyber risk and cybersecurity will play a central role in unlocking mergers and acquisitions (M&A) deal valuations.

While economic uncertainty has contributed to a decline in M&A activity in the first half of 2020, many analysts expect an increase in deals during 2020-21 based on several conditions.

The Mergers and Acquisitions Landscape

Some sectors have been hammered and need injections of capital and assurances of operational stability. Companies with stronger positions will be opportunistic and looking to accelerate their transformations with new capabilities and intellectual property. Acquisition efforts may be aided by marketplace liquidity. The U.S. private equity industry alone holds $1.5 trillion in cash. Non-financial corporations in the U.S. have more than $4 trillion. Moreover, interest rates in many areas are at or near historic lows.

We are in the midst of a profound, generational challenge, and our ability to adapt is largely a reflection of how we have approached our risk and security practices to date. As the appetite for M&A activity returns, cyber risk and cybersecurity experts should play a central role in determining true asset value and potential liability exposure. Many organizations fail to identify and capture risks in the early stages of the deal lifecycle, when these considerations can make a real difference.

Relevant examples in mergers and acquisitions news are easy to find. In 2016, TalkTalk, a U.K.-based telecom business, was fined £400,000 when a threat actor accessed a customer database it acquired earlier was hacked. In 2017, the price of Verizon’s acquisition of Yahoo’s internet business plunged $350 million after Yahoo disclosed three massive data breaches compromising more than one billion customer accounts. And, companies exploring M&A today would be wise to consider a recent example from April 2020. A pending merger had 5% of its total purchase price set aside to cover the potential fallout from a ransomware attack.

For many companies, the new normal will be about enhancing their market position by acquiring new assets or divesting existing ones. New data insights from IBM’s Institute for Business Value (IBV) suggest risk and security concerns, as well as opportunities generated by enhanced cyber resilience, are some of the most important financial considerations in any M&A deal.

Opening Business to Risks During Mergers and Acquisitions

More than one in three executives say they have experienced data breaches that can be attributed to M&A activity during integration.

Highly sophisticated threat actors target M&A activities because they offer the potential for short-term and long-term rewards. When publicly held companies are involved, the resulting media coverage can increase the chance that threat actors will seize the opportunity to attack. With operations in transition, high-value data is especially vulnerable.

Doing Due Diligence

More than half of companies wait until due diligence is completed to perform cybersecurity assessments.

Figure 1

While it’s critically important that potential liabilities are identified and accounted for in M&A deal valuation — and reflected in purchase, sale, and transition service agreements (TSAs) — most companies wait until late in the deal lifecycle to research and identify potential cybersecurity and data privacy risks and liabilities (see Figure 1).

Get Cybersecurity Leaders Involved

There are clear benefits for involving cyber risk and cybersecurity leaders earlier in the M&A lifecycle.

Of all the respondents, 32% reported having sophisticated M&A capabilities and achieving better outcomes from their M&A activity. Of these, almost 60% engage CISOs and information security teams earlier in the M&A lifecycle, during acquisition planning and screening of potential targets.

Security experts should be embedded in the corporate M&A process and play a key role in all its phases. Failure to understand how a merger or divestiture impacts operational risk exposure detracts from future value realization.

Calculating Risk During Mergers and Acquisitions

Cyber risk and cybersecurity assessments should be factored into target valuations.

Figure 2

Premiums are often paid to acquire a business, so it’s critically important that potential liabilities are identified to keep the premium in line with overall value. On average, companies devote up to 7% of their total annual revenue toward executing M&A activities, more than 80% of which is spent on the acquisition and post-close integration phases (see Figure 2).

Factoring In Security Considerations

Companies with mature M&A practices integrate risk and security considerations into their strategy, planning and valuation activities. Most notably, they analyze and quantify cyber risk factors and cybersecurity vulnerabilities. These organizations develop currency-adjusted cyber risk models that describe the impacts of potential financial and reputational risks. Armed with knowledge, these organizations are in a powerful negotiating position because they have the freedom to step away from the table. If a cybersecurity issue or potential liability found during screening (pre-acquisition) is significant enough to disqualify a target, this translates to a substantial operational cost avoidance.

In our experience, there are a number of reasons why companies delay or disregard engaging security experts during M&A. In some cases, it’s attributable to inexperience with the complex M&A lifecycle. In others, there may be a desire to limit the number of people with knowledge of an impending merger. Restricting “line of sight” to a potential merger is understandable during the pre-acquisition phase. However, excluding risk and security domain experts during deal valuation, negotiations and due diligence is problematic. Security and compliance issues can present large potential liabilities that impact the basis for a deal.

To learn more about how to quantify security risks within your M&A deals, register for our webinar.

For more insights, including recommendations for each phase of the M&A deal lifecycle, check out IBM’s new benchmark insights report Assessing cyber risk in M&A — Unearth hidden costs before you pay them.