When Yahoo came clean on its back-to-back data breaches last year, Verizon had some soul-searching to do: Would it toss its hands up and walk away from the $4.83 billion deal, blow half a year studying the financial impact of the breach (and push the deal’s closure by a couple quarters) or just push through and close the transaction?
Ultimately, Verizon Chief Executive Lowell McAdam took the “damaged goods” approach, calling for a discount. The two Yahoo data breaches – the 2013 breach is believed to be the largest hack ever reported – led to somewhere in the ballpark of a $350 million write-down of the deal’s value, but Verizon also agreed to a 50-50 split surrounding future liabilities that could arise from the hacks.
As last week’s global WannaCry ransomware attack illustrates, security threats and data breaches are becoming more commonplace and costlier – the average cost of a data breach has risen 29 per cent from 2013 to $4 million in 2016, according to IBM. Investors and shareholders alike are more sensitive than ever to the business impact of cyber-attacks. In an M&A scenario, for example, where the reputation and performance of both companies is at stake, potential buyers and sellers are taking cybersecurity very seriously.
In a recent survey of 30 top-level corporate executives and private equity partners, eight-out-of-ten respondents cited cybersecurity issues as highly important in the due diligence process with 73 per cent saying those concerns have risen over the past two years.
And for good reason. As the Yahoo-Verizon deal illustrated, breaches can cut deals or whittle down a company’s value. In some cases, they can even derail a deal entirely. According to a 2016 survey of 30 mergers and acquisitions executives at private-equity firms and corporations conducted by business-technology consultant West Monroe Partners, 23 percent of respondents said they have walked away from a deal entirely because of data security issues at a target company.
Pricing-in a data breach
A new report on pricing-in data breaches by cybersecurity consultant CGI and Oxford Economics pegged the dredge on share values at around $52.4 billion over the past four years with share prices falling by an average of 1.8 per cent on a permanent basis following a severe data breach.
“To put that in context, investors in a typical FTSE 100 firm would be worse off by an average of ($150 million),” says the report. “However, in some extreme cases, breaches have wiped as much as 15 per cent off affected companies’ valuations, substantially more than this sum.”
According to the report, financial services were hurt the worst, followed by communications firms.
“Financial services experience the greatest burden in terms of impact, reflecting the high levels of regulation, the importance of customer confidence and the potential for financial fraud to be a facet of the breach,” the report said.
More than a dollar figure
While it may take a while for the markets, investors and customers to warm up to companies that have faced major data breaches, it can also have an adverse reaction on the dealmaking process. According to a respondent to a survey on cybersecurity – a director of M&A at a technology firm that completes more than 10 acquisitions a year – breaches can raise questions about that company’s security infrastructure.
“Information collected through data security diligence plays the most important part in deciding the future course of the deal,” the M&A director said. “We operate in an industry where data security is of utmost importance and therefore any breach or intrusion could permanently harm the company’s image and operations.”
Know what you know
Data is often a company’s competitive advantage – whether that’s your customer database or the designs for your latest project – and having a well-oiled and properly resourced security policy for disclosing data, especially during a deal, is essential. Data rooms can offer a secure, trackable exchange of information but it’s only part of the equation.
Preventing data breaches comes down to ownership – recognition by employees that it’s their responsibility to follow security protocols, and recognition by the c-suite that it’s their responsibility to understand the protocols, to ensure the proper infrastructure is in place (and has been documented and tested), and above all, to know what that at-risk data is.
In Yahoo’s case, they lost more than just login credentials and user information, they took a hit on their security infrastructure, as well as their reputation, and it ended up hurting their valuation.
As the CGI report succinctly points out, it’s time businesses get serious about cybersecurity:
“It is no longer possible to regard cyber risk as a peripheral issue: it is increasingly clear that cybersecurity is a key factor in a business’s performance, reputation and, as we see in this report, its valuation.”