By Nadeem Mohammed, Deloitte MCS Limited
Imagine the scene: it’s Friday night, eight senior executives at one of the world’s largest companies are sitting around a private dining table at a swanky city restaurant. They’re there to celebrate the closure of a transaction they’ve been toiling over for the past 12 months. You’re the Deal Lead, and you’ve just taken a congratulatory phone call from the Chief Executive – the Board are delighted with the acquisition, which will now be at the heart of the company’s growth strategy. You’ve given blood, sweat and tears on this – you raise a glass towards the table and take a quiet moment to reflect on what is surely a career defining moment.
Fast forward 12 hours and you wake, somewhat disorientated, to the incessant sound of your mobile alarm. You press snooze, but it keeps on ringing – it’s not your alarm, but multiple missed calls. You answer to a panicked voice telling you that the corporate network of your new acquisition has been breached, valuable information assets are now in unknown hands, and the entire value case for your transaction, worth hundreds of millions of pounds, could be lost. In the immediate aftershock, the hand holding the phone to the ear relaxes, and the mobile crashes down to the floor…
As dramatic as this may appear, it was exactly what ran through my head when an M&A client at a major life sciences organisation called me up and asked for my views on the impact that cyber security could have on a merger and acquisition (M&A). It is a fascinating question - which deserves better than a few off the cuff responses over the phone. I promised that I’d give some thought to this and decided to develop a point of view to share with my client and his peers.
The scale of the challenge
When I sat down to pen my thoughts, there were a number of consequences of cyber and data breaches that quickly came to mind, many with implications for M&A and the potential destruction of post-deal benefits. The immediate concerns include: impact on deal valuations, loss of IP, lost revenues, operational disruption, regulatory fines, cost of remediation, product launch delays, reputational damage and loss of customer trust. However, it was only when I started to try and quantify some of the impacts that I realised the true magnitude of what my client had asked. For example:
- the valuation of a company may drop by 20 per cent1
- the cost of losing critical IP (e.g. clinical trial data) could result in a loss of $363 million2
- a company could be fined up to four per cent of global turnover by the regulators (under the General Data Protection Regulations (GDPR))3
- the average cost of operational disruption, arising from a single breach, could be greater than $4 million.4
These numbers are staggering, and given some of the high profile corporate cyber breaches that have occurred in recent years, these numbers are probably still quite conservative.
So what can you do to mitigate the risk of a cyber-incident destroying your M&A transaction? First, it’s important to acknowledge that cyber risk can never be eliminated – it can, however, be better understood and managed both before and during the M&A transaction:
- Before a deal, if you are a seller, you naturally want to maximise the price you get for the business. It’s certainly worth assessing your existing security capability - do you know what your most critical information assets are, and are you protecting those appropriately?
- During due diligence, as a seller, you’ll be sharing information that underpins the value of the business – do you have the governance, security, and procedures in place to do that safely? As a buyer, doing due diligence on the target, you’ll typically focus on things like commercial, finance, and legal – but are you also undertaking information security diligence to look for critical vulnerabilities?
- When negotiating the deal and planning for Day 1, as a buyer have you identified any cyber security weaknesses and can you use that to negotiate a lower price or build in contractual indemnities? And do you have a team lined up on Day 1 to rapidly conduct further security assessments and take the necessary action?
- Once the deal closes, the vast majority of separation and integration activities begin, with relentless focus on achieving the business case. Lots of information will be shared from this point. Are you bringing your people on the change journey and avoiding a disgruntled employee walking out the door with critical IP? Are you connecting corporate networks and email systems securely, and, are you transferring all electronic and physical data safely?
The bottom line, ‘a cyber incident can be catastrophic to your transaction’. As a senior leader, you need to give it the attention it deserves. If you don’t, it may only be a matter of time before you get that phone call!
For more detailed insights on managing cyber risks in Life Sciences M&A deals more effectively read our full paper here.