Key cyber security considerations for sellers

Addressing potential lapses before buyer due diligence begins

Cyber security issues are a priority for corporate America. Companies that experience a data breach can lose many millions of dollars due to lost revenues, reputational harm, legal issues, and remunerations. These issues are also of particular importance during an M&A transaction, where unforeseen issues can result in the end of a deal or a potentially large price discount for a seller. For example, Verizon wound up reducing its purchase price of Yahoo by over 7 percent ($350 million) once Yahoo’s data breach came to light, according to The New York Times. Due to the Verizon-Yahoo deal, and other well publicized breaches, such as Equifax’s data breach affecting 145 million users in 2017 and Uber’s breach affecting 57 million customers and drivers in 2016, buyers now have a heightened awareness of the risks associated with acquiring a target company’s potential security liabilities.

According to a recent NYSE Governance Services study, 66 percent of executives said that their due diligence processes included a security audit of the target’s software applications and 74 percent of executives in the NYSE study said they would either walk away from a deal or significantly reduce the offer price if a data breach was uncovered during diligence. Sellers should understand the importance that buyers place on cyber security issues. Sellers should take steps to understand the state of their cyber security and address any lapses before the due diligence process begins and potentially deal-alternating information becomes known and has a negative impact on the seller’s returns from the sale.

Based on KPMG’s extensive M&A experience in both sell-side deals and cyber security issues.

Three key considerations are recommended for any company considering a sale

1. Robust cyber readiness, aligning business practices with technology

     Recommended timeframe to implement: 12 to 18 months


2. Ubiquitous data privacy

     Recommended timeframe to implement: 8 to 12 months


3. Effective data ownership

     Recommended timeframe to implement: 6 to 8 months

Companies that are considering a sale, spin-off or carve-out should understand the importance buyers place on cyber security. Sellers should address any cyber security weaknesses well in advance of a sale. Implementing a robust data security program involving people, process and technology and ensuring data privacy and effective data ownership will help sellers limit the chances that a breach might occur and that minimal surprises arise during the due diligence process. Avoiding a data breach will reduce the risk of adverse publicity, reduce the risk of data loss, eliminate the need for data security remediation during negotiations, increase the speed of the deal, help to avoid future liability and enhance the overall selling price of the transaction.