As Verizon recently learned as they continue their plans to acquire Yahoo, failing to conduct a cyber security assessment as part of M&A due diligence can be costly; any business considering an acquisition should learn from Verizon’s misstep.
While companies generally understand the importance of conducting thorough due diligence before agreeing to acquire a target company, this process has often been limited to an investigation of the potential acquisition’s financial and legal information. However, as Verizon Communications recently learned the hard way, failing to conduct a complete cyber security assessment as part of the M&A process can leave major and costly issues hidden, and these undiscovered cybersecurity risks can profoundly affect the value of the acquisition. Businesses considering acquiring another company should learn their lesson from Verizon’s experience and make cybersecurity an integral part of their due diligence process.
Verizon’s acquisition of Yahoo has made business headlines for months. However, recently unveiled information about major security breaches and failed cybersecurity protocols on Yahoo’s part has made the potential deal seem much less attractive. Yahoo announced last month that it faced two huge customer data breaches between 2013 and 2014. This announcement highlighted what many in the industry saw as Yahoo’s poor record on cybersecurity. For example, security certificate company Venafi Labs claims that almost 30 percent of Yahoo’s security certificates are out-of-date by as much as two years. Particularly following a breach, failing to replace certificates flies in the face of mitigation best practices, as a company can’t be certain that hackers don’t still have access to secure information with outdated certificates. What’s more, Yahoo uses a hashing algorithm in its security certificates that is widely considered insecure, demonstrating that the company failed to learn a valuable lesson on cyber security even after facing two major breaches within two years.
Ultimately, Verizon has decided to move forward with the acquisition. Still, the offered sales price was heavily discounted to $350 million to cover the potential legal liabilities resulting from Yahoo’s data breaches. In addition to the possible legal liability, the communications giant will face massive costs trying to bring the company they are acquiring up to standard regarding cyber security.
The clear lesson from Verizon’s experience is that due diligence on a company’s cyber security protocols must be essential to any potential acquisition. Weak cybersecurity procedures and the associated risk can substantially reduce the value of any business. If the acquiring company misses these issues, the return on its investment can easily fizzle away. However, knowing what to examine when conducting a cyber security assessment of a potential acquisition can be daunting.
So what steps should businesses take regarding a target company’s cyber security protocols before purchasing? Bringing in technical consultants and advisors can help ensure that no critical issues are missed. In general, several key areas should be examined, including the target company’s data security and privacy policies across all technologies, their record of compliance with appropriate regulations, any information about known breaches, details of contracts with vendors of IT and cyber security services, storage details for sensitive data, physical security of computing infrastructure, and any social media presence.
While it may be tempting to cut corners when conducting a cyber security assessment, remember that failing to do so could not only cost your business dearly regarding its investment; any security risks of the target company could put your stuff at risk following a merger.