Security Now Determines Company Value

The Yahoo-Verizon deal hit a nerve in the M&A process, where a company's cybersecurity posture has become a sensitive negotiation issue

cybersecurity of M&A

In a now-infamous lesson about the costly aftermath of data breaches, Verizon slashed its acquisition price of Yahoo by $350 million. This is thought to be the first time a merger has been impacted by a cyber incident.

Ironically, Yahoo dodged a bullet—Verizon had initially requested a discount closer to $1 billion. Now for the bad news: That revaluation has ignited widespread changes in the mergers-and-acquisitions process across several industries, possibly impacting countless other companies.

In wake of this, Bloomberg Technology reports that enterprises are hiring cybersecurity consultants to strengthen due diligence. “Cybersecurity is not about getting technical,” Michael Bittan, head of Deloitte’s three-month-old Cyber Risk Services unit in France, told Bloomberg. “It’s about business impact and ultimately, valuations. It will become a pillar of M&A decisions.” The story likewise mentions that corporate customers have been asking Orange SA, a phone operator, for M&A audits.

chart courtesy of West Monroe Partners

Last year, an NYSE study found that more than half of directors and officers surveyed say a high-profile data breach significantly lowers valuation, while 22% said they wouldn’t even consider acquiring such a company.

The message is clear: Failure to implement strong threat detection—and present the actionable intelligence to back it up—will likely interrupt corporate growth. And if the onus of security is on the company up for acquisition, it’s up to the buying parties to aggressively set those standards. This is fundamental risk management.

One cautionary tale is the $700 million sale in 2015 of Pacnet, an Asian cable company, to Telstra, the large Australian telecom company. The latter only learned of Pacnet’s data breach after the deal’s completion. Whatever evaluation process Telstra had in place failed them. 

chart courtesy of West Monroe Partners

A few months back, Bloomberg Law wrote about the expanding role of lawyers in the M&A arena. “Data-privacy counsel, cybersecurity counsel—companies will start thinking maybe we should invite them to the table and at least think about calling in-house or even outside counsel,” Vinson & Elkins partner Devika Kornbacher told them.

The story cites a survey by the business-consulting company West Monroe Partners. In the study, 80% of respondents said that cybersecurity issues are highly important in the M&A process. And 40% of acquirers said they’ve found a cybersecurity problem at a company after completing a deal.

Intralinks, a business-content collaboration organization, surveyed 440 global dealmakers, 24% of whom expect more deals to fail over the next six months due to cybersecurity issues. The company also estimated, earlier this year, that data breaches could reduce deal values by as much as $3 billion. Why? Because an organization’s security platform is one of its most valuable risk-management tools. It not only determines the value of the acquired company—it goes on to determine the worth of the larger enterprise.