The Yahoo Breach and M&A Due Diligence

The Yahoo hack demonstrates that cyber security has become a fundamental part of M&A transactions.

Data breaches and a failure to comply with governmental and industry standards can impact a company in many ways, as Yahoo is finding out the hard way. The company’s recent disclosure of a massive data breach, which resulted in 500 million user accounts being compromised, resulted in multiple class action lawsuits being filed against the company and may trigger a government investigation into why it took so long to disclose the breach. The Yahoo breach has also shaken up the mergers and acquisitions (M&A) world, and it may have put its planned acquisition by Verizon at risk.

As data breaches, ransomware, DDoS attacks, and other cyber attacks escalate in frequency, severity, and cost, cyber security due diligence has emerged as a serious issue in the M&A sector. Information security issues at an acquisition target could significantly impact a deal’s price, keep the deal from going forward at all, or, if the problems are not detected during the due diligence process, inflict a world of pain on the acquirer company; should its deal to acquire Yahoo go through, Verizon is reportedly planning to put $1 billion in reserve to cover the costs to clean up the breach.

While the Yahoo breach has put cyber security due diligence into the spotlight, scenarios where M&A deals were negatively impacted by cyber security issues have been occurring for some time. A survey of senior M&A executives by consulting firm West Monroe Partners, published several months before the Yahoo hack, found the following:

• 80% of respondents felt cyber security issues were “highly important” to M&A due diligence
• 40% of acquirers had discovered a cyber security issue at an acquired firm after a deal had gone through
• 32% of respondents pointed to a lack of qualified personnel involved in the diligence process in recent deals

Respondents also reported that the three most common cyber security problems uncovered during the M&A due diligence process were compliance issues (70%), the lack of a comprehensive data security infrastructure (40%), and vulnerability to insider threats (37%).

What Can Acquirers and Acquisition Targets Do?

The Yahoo hack did not happen out of thin air; it was the result of years of the company repeatedly putting the product user experience ahead of security and refusing to implement even the most basic proactive cyber security measures. Acquisition targets must take their cyber security as seriously as they take their accounting practices. This includes not just protection against breaches but ensuring that the company is compliant with all applicable regulatory and industry standards. Conversely, acquirers must pore over a target company’s cyber security and compliance practices as carefully as they would the company’s books.

Additionally, nearly 1/3 of the respondents to the West Monroe survey complained of a lack of qualified personnel to perform cyber security due diligence. This is not surprising. Cyber security is a complex, dynamic field; new threats and technologies are emerging daily, and most firms do not have the monetary or human resources to handle their own information security-in house. Outside cyber security experts should be involved in the M&A process on both ends. Target companies should have security vulnerability studies conducted before putting themselves on the market, and acquirers must enlist help to perform due diligence during the acquisition process.