When Marriott International obtained Starwood in 2016 for $thirteen.6 billion, neither employer changed into aware of a cyber-assault on Starwood’s reservation system that dated back to 2014. The breach, which exposed the touchy private facts of almost 500 million Starwood clients, is a perfect example of what we name a “statistics lemon” — an idea drawn from economist George Akerlof’s paintings on statistics asymmetries and the “lemons” hassle. Akerlof’s perception was that a client does now not realize the exceptional of a product being provided by a supplier, so the consumer dangers purchasing a lemon — think of vehicles.
We are extending that idea to M&A pastime. In any transaction among an obtaining corporation and a goal employer (seller), there are uneven facts about the goal’s fine. While managers have long understood this idea, recent events shed mild on an emerging nuance in M&A — that of the information lemon. That is, a goal’s high-quality may be connected to the power of its cybersecurity and its compliance with information privateness regulation. When an acquirer does no longer guard itself in opposition to a facts lemon and are looking for enough data about the goal’s facts privacy and safety compliance, the acquirer can be left with a records lemon — a safety breach, for example — and resulting authorities penalties, together with brand damage and lack of accept as true with. That’s the scenario Marriott is now handling. The enterprise faces $912 million in GDPR fines within the EU and its stock rate has taken a hit. The problem doesn’t cease there. According to Bloomberg, “the organization ought to withstand $1 billion in regulatory fines and litigation fees.”
Marriott isn’t the best employer in this situation. In 2017, Verizon discounted its original $four.8 billion purchase price of Yahoo by using $350 million after it learned — put up-acquisition — of the latter’s records breach exposures. Similarly, in April 2016, Abbott introduced the acquisition of St. Jude Medical, a scientific tool manufacturer primarily based in Minnesota, most effective to study of a hacking threat in 500,000of St. Jude’s pacemakers a 12 months later in 2017. Abbott ending up recalling the devices. Daiichi Sankyo, a Japanese company, obtained, Ranbaxy an Indian pharmaceutical producer. Daiichi Sankyo later went to courts alleging that the goal firm misrepresented FDA safety compliance facts to Daiichi(amongst other issues).
So what to do about statistics lemons? You can genuinely make the deal anyway, especially if the cost created by way of the deal outweighs the dangers. Or you can take the Verizon path and decrease the valuation put up-acquisition. We recommend a third alternative: due diligence no longer just on the financials of the goal firm, but additionally its regulatory vulnerabilities in the course of the M&A discussion manner. The concept is to identify potential facts breaches and cybersecurity troubles earlier than they come to be your trouble.
Finding the Problem Before You Own It
In this method, we borrow from hooked up compliance standards meant to protect against bribery and environmental problems. The acquirer would look at the target firm’s past information breaches and require disclosure of prior facts-associated audits and any pending investigations global. The acquiring company could also behavior a review of the goal’s methods and processes regarding records safety — like suitable use of statistics, information classification, and facts coping with. The acquirer has to also compare target company compliance with cybersecurity frameworks from NIST, CIS, ISO, and the AICPA.
If a few danger is located throughout the due diligence, an acquirer ought to interact in an extra severe audit of the target company’s guidelines. For instance, does the goal adheres to any kind of records standards or certifications? (Examples encompass Graham Leach Bliley and HIPAA.) Finally, due diligence should additionally include an evaluation of the information-privacy necessities in 1/3-celebration contracts.
Also, notice that documents that exchange fingers between the goal and obtaining companies can themselves become risks for “information spillage” — the accidental launch of touchy statistics. Hence both the goal and acquiring firm are mainly vulnerable to attack via hackers all through the M&A due diligence manner, every so often via a hack of third parties including banks, regulation firms, accounting firms, or 0.33-celebration providers concerned in M&A. It’s important to boom the security of such facts and overviews the practices of 0.33 events to lessen such danger.