Share This Article
The cyber risk deriving from merger and acquisition corporate deals is often underestimated without running proper cyber due diligence, even though it can significantly threaten the profitability of transactions.ย Still, there are solutions able to reduce such risk exposure.
The consequences of a cyber attack can have a lasting impact on a company’s bottom line, as demonstrated by the 2017 renegotiation of the sale of Yahoo!’s Internet-related business to Verizon.ย The discovery of three data breaches that impacted 3 billion accounts resulted in a reduction of the purchase price by USD 350 million, but that wasn’t the end of it for Verizon. They later had to pay a settlement of USD 117.5 million due to a class action lawsuit brought by the victims of the data breaches and also had to invest an additional USD 306 million in security measures.
Fast-forward to today, and the risk of experiencing a cyber attack has only increased. In the first half of 2022 alone, 236.1 million ransomware attacks were identified, and since the start of the pandemic, there has been a 300% increase in cyber attacks. The average time to identify and contain a data breach is a staggering 277 days, and the cost can be as much as USD 4.35 million, not including reputational and business loss damages.
The shift to remote work and increased reliance on cloud computing platforms during the pandemic has also increased the risk of cyber attacks, and customer relationships and business operations that depend on data and AI systems are vulnerable to exfiltration or corruption through ransomware attacks.
It’s clear that the risk of a cyber attack is higher than ever before, and the potential damages a company can suffer as a result are also significant.ย However, traditional due diligence in corporate acquisitions is often limited to a review of documents rather than a technical and compliance assessment of business activities to identify potential cyber-attacks. Additionally, over 82% of cyber-attacks are caused by human error, highlighting the importance of a company’s internal compliance in reducing its risk of a cyber attack. A company’s cyber security cannot be measured solely by ICT investments, and companies that invest more in internal compliance are less exposed to cyber risk that needs appropriate due diligence.ย ย In contrast, substantial technical investments commonly lead to a waste of resources.
This situation puts companies involved in corporate acquisition deals at significant risk of significantly losing the value of the acquired target due to a cyber attack that is not discovered until several months after closing the deal.ย This risk is difficult to manage through contractual Reps & Warranties in the SPA because the seller often limits them to information known to him, which has been the subject of due diligence.ย Similarly, the vendor may not agree to delay the payment by almost a year.ย ย The prescriptive timeframe for challenges by data protection authorities is, for instance, in Italy, five years.ย ย In contrast, for claims of individuals that are victims of the data breaches, it is ten years with an even greater risk now with the new Italian class action.ย And this situation comes in a context where the cost of cyber insurance to cover the risk is rising sharply and requires more stringent checklists to be completed.
To minimize the risk in merger and acquisition transactions, we have developed a cyber due diligence solution that includes a comprehensive technical and compliance / legal assessment to identify potential cyber-attacks, as well as recommendations for remediation and a plan for ongoing monitoring. Protecting your company’s value during a corporate acquisition is crucial, and our cyber due diligence solution can help to mitigate the risks associated with a cyber attack.
On a similar issue, you can read the article “Have board directors any liability for a cyberattack against their company?“.
