Venture Capital Firms and Acquiring Companies: The Blind Spot
By Kaustubh Medhe, VP, Research & Threat Intelligence
Mergers and Acquisitions (M&A) have become a common strategy for companies to scale, grow, consolidate, and gain competitive advantages. Due diligence is an indispensable part of such transactions. While most due diligence exercises involve complex financial modeling and assessment of regulatory, legal, and operational aspects of the business, one area that often gets far less attention than it should is cybersecurity and data privacy.
- Due Diligence Gaps: Traditional due diligence processes might include financial audits and market research but do not tend to focus on cybersecurity adequately. This oversight leaves firms vulnerable to unidentified risks that could later materialize as financial and reputational setbacks.
- Potential Risks: A prominent example involves Verizon, who discovered a massive data breach in Yahoo’s systems during their acquisition of Yahoo, resulting in a $350 million reduction in Yahoo’s sale price. This is a notable example of how cybersecurity incidents could have severe implications for the acquiring company, extending to lawsuits and regulatory actions, not to mention the reputational impact of such incidents coming to light during a merger or acquisition.
- Costs of Poor Practices: When a firm with subpar cybersecurity measures is acquired or merged with a larger organization, the cost of bringing that entity up to compliance and regulatory standards is often both time-consuming and expensive.
Instances of M&A Impacted by Data Breaches
The arena of Mergers and Acquisitions (M&A) has witnessed a seismic shift in how companies are valued, thanks to the escalating role of cybersecurity. A single data breach can profoundly impact the financial and reputational standing of a company in the middle of an acquisition, resulting in either a renegotiation or termination of the deal altogether.
Case 1: Yahoo! and Verizon: A Tale of Plummeting Valuation
When Verizon decided to acquire Yahoo! in 2016 for $4.83 billion, it seemed like a deal made in heaven—until Yahoo! disclosed a significant data breach affecting over 500 million users. The announcement had a domino effect: Verizon immediately sought to renegotiate the deal, resulting in a $350 million reduction in Yahoo!’s valuation.
Valuation Impact: The original deal was pegged at $4.83 billion, but after the breach’s disclosure, Yahoo!’s valuation plummeted by $350 million. This is a case study of how cyber vulnerabilities can eat into a company’s worth.
Case 2: Marriott-Starwood Breach: A Post-Acquisition Nightmare
In 2016, Marriott International acquired Starwood Hotels & Resorts for $13.6 billion. However, two years after the merger, a massive data breach affecting over 327 million guests was uncovered. This breach was traced back to Starwood’s online reservation system. A closer examination revealed that hackers had unauthorized access to these systems since 2014.
- Post-Acquisition Complications: The discovery led to class-action lawsuits and regulatory fines, including a fine of up to $124 million under GDPR. This doesn’t even account for the expenses for breach notification, remediation, and the implementation of additional cybersecurity measures that the group had to implement to address the breach.
- Financial Risks: The monetary fines alone could be catastrophic, not to mention the costs involved in managing the crisis, upgrading security infrastructure, and the drop in share prices.
- Reputational Damage: For Marriott, the acquisition turned into a reputational nightmare. Customer trust eroded, and restoring that trust became an uphill battle.
Case 3: Facebook walking away from acquiring the predecessor of TikTok
The predecessor of the social media sensation, TikTok – Musical.ly, was in talks with Facebook to be acquired. With the growing popularity of short-form video content, Facebook was extremely keen on this M&A deal to go through smoothly. However, over the course of negotiations, several issues emerged:
- Investigation by Law Enforcement Authorities: Due to Musical.ly’s parent company, ByteDance, being under investigation by the Committee on Foreign Investment in the United States (CFIUS) due to national security concerns as well as controversial censorship policies implemented by the platform (in compliance with CCP regulations in their home country of China), Meta (then Facebook) walked away from the deal stating lack of compliance and a mismatch between the two firm’s values and approach to censorship.
- Lack of compliance with US legislation and regulations: Another key factor contributing to this was the lack of guarantees regarding US users’ data security on the platform, which would, in turn, implicate Facebook if those sensitive credentials were leaked or misused.
- Potential legal action and scrutiny: ByteDance, the parent company of Musical.ly and TikTok, was hit with a class action lawsuit alleging massive data collection without user consent and the storage of this data on their servers in China, allegedly violating consumer and data privacy laws.
Broader Implications: Financial and Reputational Risks
All three of these cases highlight the potential financial and reputational risks involved in M&A transactions where cybersecurity or data privacy is not accorded the same level of seriousness as compared to other aspects of the business.
- Financial Risks: Falling stock prices, fines, and the cost of damage control can swiftly turn an otherwise profitable acquisition into a financial burden.
- Reputational Risks: The loss of customer trust can take years to rebuild and may even deter potential business partnerships and deals, impacting future growth prospects.
- Lack of compliance: If the firm being acquired is non-compliant with regulations set forth by the parent company’s nation or global privacy laws, or even worse, is entangled in legal battles, it can only have an adverse impact on the acquiring firm. Compliance with cybersecurity laws and regulations has gained unparalleled importance in M&A evaluations. Given the stringent nature of new laws like the GDPR, CCPA, and HIPAA, the cost of non-compliance can be catastrophic.
- Penalties: Non-compliance could lead to penalties that significantly impact the financial stability of the newly merged entity. British Airways, for instance, was fined $230 million for a data breach, a factor that could have severely impacted an M&A deal.
The Role of Digital Risk Monitoring Solutions
Most VC firms still rely on outdated and inefficient methods of using checklists, questionnaires, and dipstick audits or interviews to assess the cyber security health of a potential acquisition target. These exercises are thoroughly ineffective in assessing the true cyber security posture and risk of the organization as they are largely self-declaration-based assertions that cannot be practically validated by the firm performing the due diligence.
Digital risk monitoring solutions offer acquiring firms a lifeline by providing deeper visibility and actionable intelligence that can uncover hidden risks and help deal makers in decision-making. These solutions deliver a breadth of information about the entity by scanning both the dark web and surface web, which forms a vital part of cybersecurity due diligence.
- Risk Monitoring: Real-time digital risk monitoring solutions sift through vast amounts of data to identify potential threats and exposures related to the targeted acquisition. They work 24/7, ensuring no vulnerability goes unnoticed.
- The Impact of Data: With such real-time data, companies can make more informed decisions regarding the acquisition. For instance, they can negotiate better deals or require cybersecurity improvements as a condition for finalizing the merger or even budget for anticipated expenses to bolster the security posture post-acquisition.
- Tool capabilities: Digital risk monitoring solutions continuously scan various websites, social media platforms as well as dark web forums, cyber-crime forums, and marketplaces to identify information about threats, vulnerabilities, and impending attacks that could be an indicator of a data breach or a data exposure that could have serious ramifications for the organization.
These platforms provide a unified external threat exposure management service for Venture capital firms and acquiring companies, who can leverage this platform to ensure that their investments are cyber-resilient.
- Integration: These tools can be seamlessly integrated into larger business intelligence or security monitoring ecosystems and incident management systems, facilitating ease of use and continuity of data interpretation in the due diligence process.
- Focus on Supply Chains and Third Parties: Such platforms also provide users with third-party risk management capabilities by extending their monitoring to the entities’ third-party vendors and supply chains.
- Cost-Benefit Analysis pre-M&A negotiations and post-merger governance: Numerous M&A transactions can be successfully carried out at scale with very little manual intervention or configuration, allowing the VC and PE firms to get a bird’s eye view of cyber security risk for their portfolio companies as well as potential acquisition targets to help negotiate fairer, risk-adjusted prices for the deals by providing an accurate cost-benefit analysis of any M&A actions.
- Achieving compliance with regulatory bodies: Such platforms are also compliant with several regulatory authorities’ compliance edicts and requirements ranging from ISO 27001 to GDPR requirements.
Final thoughts
Cyber threats have shown themselves to be volatile, dynamic, and resilient. They are only expected to increase as the attack surface expands due to the adoption of new technology and automation, mobile and cloud.
M&A transactions are complex and multifaceted and involve a lot of unknowns and risk – with cyber security playing an outsized role in that “unknown”. VC and PE firms need to be cognizant of the growing importance of performing cyber security due diligence by leveraging digital risk monitoring platforms to help them better navigate uncertainty.
About the Author
Kaustubh Medhe is the Vice President of Research and Threat Intelligence at Cyble. A security and privacy leader with over 2 decades of experience in information security consulting, audit, fraud risk management, and cyber defense operations.
At Cyble, he leads Research, Customer Success, and Cyber Threat Intelligence Services for clients globally.
Kaustubh is CISM (ISACA) certified and is a Fellow of Information Privacy (IAPP), and holds the CIPP/E and CIPM credentials.
Kaustubh has executed and led information risk management programs for some of the largest clients in the banking, insurance, retail, and oil and gas industries in India, the US, APAC, and the Middle East.
Prior to joining Cyble, Kaustubh was instrumental in setting up and operationalizing a threat intelligence-enabled cyber defense center at Reliance Industries, for one of the largest conglomerates globally with over 250K employees and 50K globally distributed assets (on-premises and the cloud).
In the past, Kaustubh was associated with global managed security services providers such as Paladion (now ATOS) and Happiest Minds Technologies, where he led their Cyber Security and SOC Practice. In his early career, Kaustubh worked with the KPMG IT Risk Advisory Practice, where he was involved in leading and executing information security consulting and audit engagements for clients in the BFSI, Manufacturing, and IT-ITES sectors.
He can be reached at [email protected]