M&A

Mastering M&A Cyber Risk

Don’t have time to read? Start listening to this blog post now:

Every April, golf and business legends descend upon the tranquil 18-holes of Augusta National Golf Course to take in the splendor of the greens and the most unforgettable moments in golf. These are the best of the best from across the globe duking it out for the coveted green jacket. Competition is fierce. These are the most experienced players in the game who have been under high-pressure situations before swinging with precision strokes they have practiced thousands of times. Even at the peak of their game, they can quickly plummet from the leaderboard to out of the money with one stroke. They move from hero to zero in the blink of an eye. The same is true for mergers and acquisitions (M&A).

So, what can we learn from this great golfing event? Even the most seasoned M&A teams need to be at the top of their game no matter if it’s a par 3 or a par 5. It’s about the equipment, the team, the environment and knowing your risk. The M&A process begins with the foundational strategy, selection of the right company and using resources most efficiently to answer your questions about company risk.

Up to this point, we have solved risk with earnouts, an arbitrary amount typically set aside to cover the unexpected. Buyers love it, sellers detest it because they have often had little control over the acquired asset post-closing. It also keeps a wedge between the seller and buyer since their organizational goals are typically not aligned. Ultimately it becomes a sand trap which is every player’s worst nightmare.

The risks intensify as enterprises fundamentally shift to the digital world and well-resourced hackers advance in sophistication and through their efforts, are emboldened. We need to be more diligent in identifying the target’s critical digital assets. More importantly, we need to understand the protection of these assets in real time as the deal progresses. There are several acquisitions over the past decade which have fundamentally lost the value of the acquired assets only after the deal closed. Later, they found the seller had been hacked, their assets were stolen, and the vulnerability was still open months after the breach.

If you want to be on the leaderboard versus out of the money when the target company collapses under civil litigation, IP theft, brand damage, or regulatory penalties take a hard look at digital risk when conducting your next due diligence process. If you have not done this before, hunt for a caddy, who knows the greens and can give you insightful, quantitative information to maximize your success.