In July of this year Verizon announced it was going to buy Yahoo for $4.8B. A few weeks later, Yahoo starts investigating a potential data breach of around 200 million records that were for sale on the Dark Web. In mid-September, Yahoo discloses that sometime in 2014, they were attacked and roughly 500 million user accounts were compromised. A couple of days later, Verizon says this is the first they’ve heard of this and that event may have a “material impact” on the purchase deal. By October news reports circulate that Verizon may ask for a $1B discount off the purchase price.
That $1B discount equates to nearly 20% of the original offer. Could it be that cyber risk wasn’t adequately considered by those putting the deal together?.
Maybe the deal will go through. Maybe it won’t. I’m sure each side’s lawyers and financial advisors are going back and forth. That will certainly run up the transaction costs. Even after the public relations teams put a happy spin on the outcome, the incident cost time and money beyond the actual affect the breach had on end users. So how do you prevent something like this from happening? Include cyber risk as part of the due diligence and do it early.
For the buyer side, have your cybersecurity experts take a hard look at how the target company approaches identifying and securing the “crown jewels”. Questions to ask include: How often does the Board and Executive Leadership Team discuss cyber risk? Who is responsible for cybersecurity? Where are they placed in the organization? Do they have sufficient resources to accomplish their task? Have they identified their critical assets and what measures have they taken to protect them? How do they monitor their networks and assets to detect possible malicious activity?
On the seller side, the time to address these issues is well before you decide to put yourself on the market. You should know what drives value in your company and take measures to protect that value. You should understand the cyber risk as much as you do the financial and market risks. After all, if an incident cost you 20% of your company’s value, that’s a serious agenda item for the Board.