Op-ed: Cybersecurity is the ‘blind spot’ that can derail some of Wall Street’s biggest M&A deals

Increasing privacy concerns spearheaded by the U.S. government has put a spotlight on TikTok and WeChat, both owned by China-based companies. Protecting user data of American citizens remains at the forefront of President Donald Trump‘s quest to press a sale of these organizations to U.S.-owned organizations. However, pressure to protect data and minimize the potential for cyber breaches have long been documented, as seen in the sale of dating app Grindr earlier this year due to concerns over privacy and security. Now, with TikTok in talks with Microsoft and Oracle for a potential acquisition, the issue has become even more pressing.

It’s clear that cybersecurity remains a continued concern that can play a critical role in major deals and investments. As a result of the COVID-19 pandemic, industries like retail are under pressure at the board-level to make themselves an attractive target for M&A activity as the only solution to keep their doors open.

This year, we’ve already seen numerous retail investments. In June, Lululemon entered into an agreement to acquire Mirror for $500 million. Shortly after, Uber entered an agreement to take over Postmates for $2.65 billion. However, financials may not be the only factor in ensuring businesses remain open.

 As the world grapples with how to deal with new challenges and a shift to remote work because of Covid-19, companies need to do a better job of cyber due diligence to prevent the shattering of any potential M&A activity and avoid any more disasters.

 With these deals, we are seeing more and more retail investors expressing greater interest in non-financial factors such as environmental, social, and governance — but a major blind spot is not looking at how an organization is approaching cybersecurity. It’s easy to assume a company is doing all the right things when it comes to cybersecurity, but even the most tech-savvy company may be leaving itself exposed. Hackers often break into a company’s network and remain dormant until the right opportunity to strike comes along and many organizations lack a proper work from home policy that may help them to avoid a breach. Once a deal has closed, the acquiring company becomes responsible for the acquired cyber risk, a hard lesson learned by Marriot in 2018, who failed to address significant cyber risks of Starwood.

 In 2019 nearly $4 trillion in M&A deals took place. As investors ready themselves for the next wave of M&A activity, ensuring cybersecurity is factored into the due diligence process is critical to avoid millions in fines, brand reputation and protecting sensitive customer information. With more employees working remotely than ever before, organizations are at significant risk for a security breach. Having a strong cyber posture will become critical for companies looking to defend their valuation, and in some cases, can devalue a company’s offering when the time comes to sign a deal.

The harsh reality of not assessing cybersecurity risk has left a number of businesses with hefty fines because of major issues with the companies they acquired. For example, in 2018, following its successful acquisition of Starwood two years prior, Marriott learned that the company had acquired more than a series of hotels. It had also acquired some major security issues. Post-acquisition, Marriott discovered that Starwood’s network had been compromised in 2014. Because the company had not yet migrated its networks and systems over to the seemingly more protected Marriott networks, they were met with major damages.

 Hundreds of millions of private records were leaked, including customer records, credit card numbers, and passport information, leaving the company facing over £99 million in fines by the U.K., as well as irreparable damage to their brand. 

 Basic cybersecurity hygiene issues were missed without an accurate picture of what the company was doing when it came to cybersecurity. Having real-time monitoring solutions in place could have given investors a better understanding of the security risks and improvements needed when the deal went through, and potentially even reduce the cost of the initial acquisition. While Marriot serves as an example for retailers, an alarming 3 in 4 retailers have been hacked by cyber criminals. This is further expressing the urgency in ensuring cybersecurity is factored into the due diligence process.

The due diligence processes each company undergoes when making an investment will vary depending on the company, industry, and region. While there is no universal standard, it is critical that companies get it right and understand potential areas of concern they may be inheriting. Many retail investors focus strictly on factors like ethical sourcing and corporate social responsibility programs, but it’s important that the structural integrity of its technology and cyber posture is examined.

 There are five pillars investors should pay close attention to when it comes to due diligence including basic company information, financial information, political and reputational risk, operational risk and cyber risk. While many companies zero in on financial information, not enough put an emphasis on cybersecurity risk. 

 When it comes to cyber risk, assessments are commonly completed using basic tactics such as a questionnaire or interview. In some cases, a technical penetration test may allow an acquirer to test the security of some systems. This is not always easy to obtain and the data obtained doesn’t always give the bigger picture.

 Investors should request records and documentation of IT security initiatives, any known incidents, and recent assessments conducted by third parties (including physical security). Investors should also leverage externally observable data, including data provided by security rating providers, which can provide objective evidence of past performance. Data on vulnerabilities, infections, patching rates, and other indicators of cybersecurity hygiene are available for investors to evaluate.  

 What’s more, for the acquisition target, ensuring your business already has these systems in place can help your business become an even more attractive target by demonstrating strong cybersecurity performance.

In 2011, the SEC issued a set of disclosure guidelines that told companies to disclose any potential cyber risk, possible effects of that risk, as well as the status of internal controls and risk management procedures in place. This guidance was updated in 2018 and adopted as commission guidance.

 It’s time that the SEC did more to ensure that investors are informed of cyber risk. Clear disclosure and transparency standards would make it harder for companies to keep the public and their shareholders in the dark about financial losses and potential cyber threats.

 What may be needed is a consistent framework for disclosing cyber risk, financial impact, security controls, and third-party assessments. By developing a clearer disclosure framework, the SEC could ensure that investors are protected and companies would be held accountable for their security procedures, making it more likely that they would regularly measure security performance and creating a safer environment all around.

 The SEC should seek to convene meetings with institutional investors, shareholders, and companies to determine the effectiveness of existing disclosure requirements; where gaps may be present; and whether additional standards or requirements may be necessary.

 A major security breach can be detrimental, especially to retailers operating on low margins. As the pandemic further accelerates the shift away from brick and mortar and onto online retail, retailers are facing new challenges when it comes to security — challenges that can have devastating consequences if not addressed entirely. There is not nearly enough emphasis on cybersecurity in M&A deals. Widening the scope of corporate due diligence programs allows investors to uncover all facets of risks and set them up for a stronger investment.

 By implementing simple measures and a great due diligence process to assess risk, retailers can make a major impact on their bottom line, and have peace of mind before executing any deal. Apart from looking at company offerings, the structural integrity of IT systems and cybersecurity posture could just as easily outweigh the benefit. 

 — By Stephen Boyer, co-founder and CTO at BitSight