In 2016, Yahoo! sold its core business to Verizon for $4.8 billion. This was a far cry from Yahoo!’s peak valuation of about $125 billion, but the final buyout value included a $350 million markdown due to the discovery of a Yahoo! data breach prior to the deal.
This last-minute markdown was the final blow in Yahoo!’s fall from grace as a formidable tech giant that reigned the space Google and Facebook now rule. It is also a lesson in how due diligence during M&A has become more complicated due to the complex technology structures that now permeate large businesses. In the case of Yahoo!’s data breach, hackers gained access to private data and every Yahoo! user was affected.
While this type of data breach is a concern, it was also a malicious attack coordinated by hackers.
More concerning are the data security and cybersecurity breaches that occur because of existing vulnerabilities. The lines between technology, financial, healthcare, energy and government contract companies being blurred. Additionally, more and more companies are utilizing sub-contractors, sub-systems, and off-site data management. These come with their own complex data security and cybersecurity needs practices.
These factors make effective data security and cybersecurity management a difficult task.
Given these complications, it’s no surprise that more than 40% of companies found cybersecurity problems after a merger or acquisition as explained in this article by Richard Harroch. He details six steps any good due diligence process should include to discover data and cybersecurity vulnerabilities prior to completing a M&A. To summarize his outline, begin with a thorough evaluation of a company’s policies, contracts and documentation then evaluate the actual procedures that uphold those policies, enforce contracts and maintain documentation. Next, examine past security breaches and what was done to mitigate a repeat of the situation. Then appraise whether the company complies with applicable laws and standards while also reviewing any history of litigation or regulatory violations. Finally, for certain high-risk industries, an acquiring company might engage with third-party companies to test security systems.
Since more M&A transactions are valued based on virtual assets like users, data, talent and intellectual property rather than physical assets, understanding data and cyber security has become a core competency for acquiring companies. The complexity of today’s business operations emphasizes why rigorous data and cybersecurity evaluations are necessary before a M&A.