Cybersecurity issues are threatening M&A deals

A new study shows how cybersecurity lapses can jeopardize mergers and acquisitions, sometimes long after a deal is done.

Taking the time to conduct cybersecurity evaluations is important before and during an acquisition. (Photo: Shutterstock)

Cybersecurity issues are increasingly becoming a concern in mergers and acquisitions, a new survey shows, and lapses can jeopardize deals or haunt purchasers long after the deal is done.

Of more than 2,700 information technology and business decision makers surveyed by Forescout Technologies Inc. in seven countries, 53% reported that their organization had encountered a critical cybersecurity issue or incident that put an M&A deal in jeopardy. And 65% of respondents said they had experienced buyers’ remorse because of cybersecurity concerns after closing a deal.

The findings, released Monday, show that taking the time to conduct cybersecurity evaluations is important before and during an acquisition, even if it means finalizing the deal gets delayed, said Julie Cullivan, chief technology and people officer at Forescout. The company sells a security platform that allows companies to monitor and control access to their networks.

“Cybersecurity is a challenge for every organization, and risk factors are changing all the time,” Cullivan said. “It’s about making sure you put as much energy into it up front.”

Impact on M&A

Recent acquisitions highlight the threat that cyber risks can pose to a company’s reputation and bottom line.

Verizon Communications Inc. acquired Yahoo’s Internet properties in 2017 at a $350 million discount after security breaches surfaced at the web company. And Marriott International Inc. inherited a massive security risk when it bought Starwood, including a breach that was disclosed just days after the deal was announced.

Yahoo and Starwood aren’t isolated incidents. Earlier this month, Asco Industries, which Spirit AeroSystems Holdings Inc. agreed to buy in May 2018, was hit by a large-scale ransomware attack. The attacked cause a “serious” disruption of Asco’s activities, and its sites in Belgium, Canada, Germany and the U.S. were stopped.

Spirit AeroSystems won EU approval for the deal in March, but the acquisition has yet to be completed.

Thorough cybersecurity assessments that include utilizing third-party audits can often help avoid these types of issues, said Joe Cardamone, senior information security analyst and North America privacy officer for Haworth Inc., a designer and manufacturer of office furnishing products in Holland, Michigan.

“It’s not an intangible risk. It’s a very tangible thing and true money that can be lost,” said Cardamone, who has been involved in Haworth’s acquisition of at least six companies. “Treat it like you are buying a used car. I’d still want to look underneath the hood.”

Haworth, which is a Forescout customer, revamped its acquisition policy about five years ago to include information security.

Related: 

Copyright 2024 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.