Cybersecurity Concerns in M&A Due Diligence

Jeff Welgan


November 1, 2016

due diligence cyber security

In April, healthcare products manufacturer Abbott Laboratories announced the acquisition of St. Jude Medical. Shortly thereafter, however, the $25 billion deal was threatened when a report alleged that St. Jude’s pacemakers and defibrillators—part of a category that represents 50% of the company’s revenues—were vulnerable to wireless cyberattack, jeopardizing the safety of thousands of device users. The author of the security report, MedSec Holdings, fed their findings to Muddy Waters Research, an investment research firm that subsequently shorted St. Jude stock. This arrangement financially benefited Muddy Waters and MedSec and, when the damaging report was made public, St. Jude’s stock price dropped more than 10%. Muddy Waters and other short-sellers stand to profit even more if the deal falls through because of these disclosures of cybersecurity lapses.

In general, public scrutiny around acquisitions has increased for all companies involved in deals. Senior leadership, including the board of directors, must ensure that cybersecurity due diligence is conducted as faithfully as any other diligence area. In a 2016 New York Stock Exchange Governance Services survey, three-quarters of respondents said that a high-profile data breach at an acquisition target would have serious implications for a pending acquisition. Moreover, more than half said that a high-profile cyber breach would diminish an acquisition target’s value.

While this is not the first time that cybersecurity issues have negatively affected stock prices, this may be the first case where cybersecurity disclosures—responsible or otherwise—were tactically used to affect interim company value and potentially derail an acquisition deal. Rather than disclose the alleged vulnerabilities of the medical devices to the manufacturer, the FDA or other regulators, it appears that MedSec disclosed the vulnerabilities to Muddy Waters with financial gains in mind. Although this may be the first such case of stock manipulation, it will not be the last. Cybersecurity is perceived as complex and critical, and therefore could be a valuable tool for short-sellers.

Given the pending nature of the transaction, it is difficult to pinpoint what, if anything, went wrong in the cybersecurity due diligence between Abbott Laboratories and St. Jude Medical. An analysis of the merger agreement documents, however, does not show any references to cybersecurity as a diligence condition or as a material breach trigger for the acquisition.

When entering any merger or acquisition, the process of cybersecurity due diligence should start early in the negotiation phase. There are many considerations to take into account to avoid complicating acquisition plans. The following are the top five:

1. Are there any indications that the acquisition is currently breached or has previously been breached? Current breaches can be a worst-case scenario for the buyer, who will have to deal with any potential consequences that may result from the incident. Previous breaches also indicate areas of vulnerability for the acquisition and beg the question of what they have done to improve their resiliency.

2. What is the acquisition’s overall cybersecurity maturity? Cybersecurity equals cybermaturity. Be wary of acquisitions that have lackluster cybersecurity policies, procedures, reporting structure and training.

3. Has the organization conducted its own cybersecurity audit? When? By whom? What were the results? It is important that all organizations conduct regular cybersecurity audits, and it should be no different for the acquisition. As part of negotiations, ensure that the acquisition has a cybersecurity risk assessment conducted by an independent and reputable third party.

4. What types of devices, systems and data does the acquisition have that may be at risk? Keep in mind that businesses are part of interconnected operating environments. It is important to identify the acquisition’s critical assets, as well as the potential implications should they be compromised. Had Abbott discovered the possible medical device risk, they could have built provisions into the merger agreement to address it.

5. How are cybersecurity due diligence efforts being documented? Ensure that all due diligence efforts, for both the buyer and the acquisition, are being tracked, documented and stored. Going through a formalized documentation process will reduce the chances of overlooking cyber issues and provide evidence of good faith and care in the event of unforeseen circumstances.
Jeff Welgan is the executive director of the board and executive training program at CyberVista.