In a recent M&A survey focused on the software industry, 52 out of 100 senior global executives confirmed that their companies inherited cybersecurity problems from a software business that they either merged with or acquired. Moreover, 35 percent said that cybersecurity issues have previously caused them to nix a potential M&A deal with a software company.
The survey, conducted in Q1 2017 by Chicago-based management and technology consulting firm West Monroe Partners, was published earlier in June, shortly before Verizon finalized its contentious purchase of Yahoo, which suffered from multiple damaging data breaches that hurt its value.
Sean Curran, senior director in West Monroe Partners' security and infrastructure practice, told SC Media in an email interview that in addition to the Yahoo-Verizon saga, "We have definitely seen private deals where the security issues have resulted in price reductions. The primary lesson here is to spend the time necessary on diligence, and to ensure you have the proper leadership in place to manage any issues you uncover."
"Cybersecurity is an area of top concern for our clients,” said Matt Sondag, managing director of mergers and acquisitions with West Monroe, in the report itself. “Just read the news each week for the latest breach. Fortune 100 companies are spending millions on cybersecurity, but even those companies are still vulnerable to attacks."
According to the survey, cybersecurity risk remediation was the third most cited concern related to assessing a potential acquisition's technical issues (29 percent listed it as their #1 or #2 concern), behind scalability and consolidation of acquisition platforms.
While only 16 percent of polled executives admitted that have regretted a past acquisition, 25 percent of this sub-group said that cybersecurity issues were the primary reason why. This was the second most commonly cited reason, behind only an overcrowded competitive market (31 percent).
One the executives who said that his or her company has previously pulled out of acquisition deals is a chief strategy officer from an unnamed German corporation. “There were deals that were too good to be true, and once we started the due diligence process we realized that the companies had a lot of issues,” says the exec as quoted in the report. “They had underdeveloped cyber-risk systems and a lot of financial problems.”
Another surveyed exec, a CEO of a U.K.-based corporation, said in the report that his or her company once rejected an acquisition because the price of developing cybersecurity systems that would have protected the incorporated software business would have been "too costly."
In what appears to be a relatively positive development, only 16 percent of polled executives said they were "somewhat dissatisfied" with their companies' "due diligence" efforts to assess the cybersecurity posture of software businesses targeted for acquisition, while 84 percent said they were at least somewhat satisfied. However, these numbers do not compare favorably to satisfaction levels related to technical and operational due diligence efforts. Indeed, only one percent of respondents said they were "somewhat dissatisfied" with due diligence efforts related to these two areas.
When specifically naming which specific cybersecurity issues concern them most when acquiring a company, 60 percent of respondents said that post-merger integration is their their first or second biggest concern. Other key concerns that executives ranked first or second in terms of importance included the cost of correcting problems (42 percent), the occurrence of frequent or recent data breaches (41 percent) and threats to business data (38 percent).
Asked what kinds of software businesses they were interested in purchasing, many executives appeared to have little interest in buying a cybersecurity company. Only five percent of respondents listed cybersecurity businesses as a top priority for acquisition, while 23 percent ranked cybersecurity second or third. Out of eight categories of software companies, cybersecurity ranked sixth in terms of overall interest.