While the consequences of cyber threats were soundly felt by Yahoos shareholders and widely covered in the news, it was an extraordinary event that raised eyebrows among M&A practitioners but did not fundamentally transform standard M&A practices. However, given the high potential cost from cyber threats and the high frequency of incidents, acquirers need to find more comprehensive and expedient methods to address these risks.
Today, as conversations accelerate around cybersecurity matters during an M&A process, corporate executives and M&A professionals will point to improved processes and outsourced services for identifying and preventing security issues. Despite the heightened awareness among financial executives and a greater range of outsourced solutions for addressing cybersecurity threats, acquirers continue to report increasing numbers of cybersecurity incidents at acquired targets, often after the target has already been acquired.Despite this, acquirers continue to focus due diligence activities on finance, legal, sales and operations and typically see cybersecurity as an ancillary area.
While past or potential cyber threats are no longer ignored in the due diligence process, the fact that data breaches are still increasing and can cause negative financial impact that will be felt long after the deal has closed highlights a greater need for acquirers to continue to improve their approach and address cyber threats.
Most middle-market companies will typically be sold in an auction process where an investment bank is engaged by the seller to maximize value by fostering competitive dynamics between interested bidders. Under tight time constraints, buyers are forced to prioritize their due diligence activities or risk falling behind in a deal process.