Can a single data breach kill or sideline a deal? Perhaps so. Last month Verizon signaled that Yahoo!’s disclosure of a 2014 cyberattack might be a “material” change to its July $4.83 billion takeover bid—which could lead Verizon to renegotiate or even drop the deal entirely. Concern over cybersecurity issues is not unique to technology or telecommunications combinations. In a 2016 NYSE Governance Services survey of public company directors and officers, only 26% of respondents would consider acquiring a company that recently suffered a high-profile data breach—while 85% of respondents claimed that it was “very” or “somewhat” likely that a major security vulnerability would affect a merger or acquisition under their watch (e.g., 52% said it would significantly lower valuation).
Bottom Line: Cybersecurity should play a more meaningful role in the due diligence portion of any potential M&A deal. Certainly this is so when a material portion of the value in the acquisition comes from intangible assets that might be most vulnerable to hackers. Financial information comes to mind. Personal information of employees does as well. But companies also need to be concerned about their trade secrets, know-how and other confidential business information whose value inheres in its secrecy. Therefore, a merely perfunctory approach to cybersecurity can become very costly. The union of companies today is a union of information, malware and all.
Energy M&A Is Not Immune
To weather the plunge in prices, many oil companies have sought out new innovations to reduce the cost of extraction and exploration. Investments in digital technologies will likely only increase—a 2015 Microsoft and Accenture survey of oil and gas industry professionals found that “Big Data” and the “Industrial Internet of Things” (IIoT) are targets for greater spend in the next three to five years. Cybersecurity threats were perceived in the survey as one of the top two barriers to realizing value from these technologies.
These developments in energy industry—bigger data and bigger vulnerabilities—are here to stay. The proposed merger of General Electric and Baker Hughes also speaks to the growing importance of analytics to oil production. Commentators note that the acquisition would allow GE more fully to implement its Predix platform, an application of IIoT to connect everything from wellhead sensors to spreadsheets. However, as last month’s massive cyberattack on DNS provider Dyn, Inc. demonstrated, the IIoT holds unique challenges as well as great promise for operational efficiency. (In this attack, reportedly 400,000 internet-linked gadgets were hacked and used to reroute web traffic to overload servers.)
Bottom Line: Robust cybersecurity diligence should be de rigueur for energy M&A.
What Can Companies Do to Protect Deal Value?
For starters, energy companies should treat cybersecurity as a separate and more involved category for due diligence.
Liability for or damages from legacy data breaches or malware can become expensive—damages to systems, theft of information and liability from the release of personal or reputation-damaging information, to name a few. Therefore, anticipating problems post-merger, cataloguing past vulnerabilities and most importantly, discovering actual breaches before closing is crucial to avoid deals blowing hot and cold.
Companies should retain IT specialists who can do an objective assessment of the cybersecurity posture of a proposed merger or acquisition. This can help prospective acquirers better determine the adequacy of a target’s cybersecurity programs, such as its policies over incident response, how access to data is distributed, the extent of a company’s online presence and vulnerabilities, and how remediation of any potential cyberthreats or actual breaches may best proceed.
A cybersecurity questionnaire should also be developed, covering such topics as:
An acquirer could further insist on specific representations and warranties from a target company regarding their cybersecurity compliance, as well as bargain towards indemnity for prior data breaches.
On the target side, energy companies should prepare (in turn) for more scrutiny over their data security and privacy practices. Among other benefits to “knowing thyself,” getting ahead of this process should offer targeted companies a better negotiating position. It would also allow them to take a more proactive role in defining the policies of the combined company post-merger. At the very least, these efforts could help avoid the kind of hiccups and uncertainties that lead to undervaluation. In any event, poor cybersecurity practices can give an impression that a target lacks risk management in other areas—not an ideal pose to strike in any bargain.
Parting Thoughts
It is a trope in cybersecurity writing to invoke figures like Sun Tzu and shoehorn in quotes about war stratagem. Well, these habits are in some ways unavoidable: For all intents and purposes, fighting anonymous hackers resembles battle prep—a method of self-awareness and readiness that defies box-checking.
Energy companies could take these words to heart from the inestimable Miyamoto Musashi, a samurai who won 60 duels: “If you consciously try to thwart opponents, you are already late.” (A sentiment echoed more recently by Mike Tyson’s truistic “Everyone has a plan until they get punched in the mouth.”)
And This Key Takeaway: Any cybersecurity program must go hand-in-hand with a corporate culture that respects data as among its most valued assets. Efforts in detection, reporting and remediation are challenges that fall throughout the ranks and, if reflexive to the unknown, stand the best chance of being fully realized.
Bottom Line: Mind Your Data!
In a major victory for the business community, Judge Sam R. Cummings of the U. S. District Court for the Northern District of Texas issued a permanent nationwide injunction blocking the Department of Labor (DOL) from enforcing its new “persuader” rule. National Federation of Independent Business, et al. v. Perez, et al., Case No. 5:16-cv-00066. The rule attempted to expand disclosure requirements by employers and their consultants (including attorneys) related to union-organizing campaigns.
For years, the DOL took the position that no reporting was required unless the consultant had direct contact with employees by way of in-person meetings, telephone calls, letters, or emails. Similarly, no reporting was required if the consultant’s activities were limited to providing sample materials such as speeches, postings, letters to employees, and the like that the employer was free to accept, reject, or modify.
