Data breaches are a constant in today’s headlines, but in recent years the risk has been front and center of some of the most significant M&A deals. In 2017, Verizon discounted its acquisition price by $350 million when Yahoo belatedly disclosed that it experienced several massive breaches. And in November 2018, Marriott publicly disclosed that Starwood’s guest reservation database — containing hundreds of millions of personal records — had been compromised since 2014, prior to the Marriott acquisition. These incidents — and countless others — raise critical questions. How should Boards be thinking about cyber risk in the acquisition process? What steps should they take to address this risk prior to the acquisition?
For years, cybersecurity was considered a “check-the-box” discussion during the merger and acquisition (M&A) process. It was almost always examined to ensure there weren’t any glaring issues or major red flags—but there wasn’t a whole lot of care or thought put into it.
Every year, companies spend billions of dollars on mergers and acquisitions. (The value of worldwide M&A deals in 2014 totaled $3.5 trillion.) Managing risk throughout the process is an important element of any merger, but there's one area of risk management that hasn't had the attention it deserves.