As Verizon recently learned as they continue their plans to acquire Yahoo, failing to conduct a cyber security assessment as part of M&A due diligence can be costly; any business considering an acquisition should learn from Verizon’s misstep.
While companies generally understand the importance of conducting thorough due diligence before agreeing to acquire a target company, this process has often been limited to an investigation of the potential acquisition’s financial and legal information. However, as Verizon Communications recently learned the hard way, failing to conduct a complete cyber security assessment as part of the M&A process can leave major and costly issues hidden, and these undiscovered cybersecurity risks can profoundly affect the value of the acquisition. Businesses considering acquiring another company should learn their lesson from Verizon’s experience and make cybersecurity an integral part of their due diligence process.
Verizon’s acquisition of Yahoo has made business headlines for months, but recently unveiled information about major security breaches and failed cyber security protocols on Yahoo’s part has made the potential deal seem much less attractive. Yahoo announced last month that it faced two huge customer data breaches between 2013 and 2014. This announcement highlighted what many in the industry saw as Yahoo’s poor record on cybersecurity. For example, security certificate company Venafi Labs claims that almost 30 percent of Yahoo’s security certificates are out-of-date by as much as two years. Particularly following a breach, failing to replace certificates flies in the face of mitigation best practices as a company can’t be certain that hackers don’t still have access to secure information with outdated certificates. What’s more, Yahoo is apparently using a hashing algorithm in its security certificates that is widely considered to be insecure, demonstrating that the company failed to learn a valuable lesson on cyber security even after facing two major breaches within two years.
Ultimately, Verizon has decided to move forward with the acquisition, but the offered sales price was heavily discounted to the tune of $350 million to cover the potential legal liabilities resulting from Yahoo’s data breaches. In addition to the possible legal liability, the communications giant will face massive costs trying to bring the company they are acquiring up to standard in terms of cyber security.
The clear lesson from Verizon’s experience is that due diligence on a company’s cyber security protocols must be an essential part of any potential acquisition. Weak cybersecurity procedures and the associated risk can substantially reduce the value of any business, and if the acquiring company misses these issues, the return on their investment can easily fizzle away. However, knowing what to examine when conducting a cyber security assessment of a potential acquisition can be daunting.
So what steps should businesses take regarding a target company’s cyber security protocols before moving forward with any purchase? Bringing in technical consultants and advisors can certainly help in ensuring that no critical issues are missed. In general, several key areas should be examined, including the target company’s data security and privacy policies across all technologies, their record of compliance with appropriate regulations, any information about known breaches, details of contracts with vendors of IT and cyber security services, storage details for sensitive data, physical security of computing infrastructure, and any social media presence.
While it may be tempting to cut corners when conducting a cyber security assessment, remember that failing to do so could not only cost your business dearly regarding its investment; any security risks of the target company could put your stuff at risk following a merger.
Is your business considering undertaking an acquisition of its own but is unsure how to conduct an appropriate cyber security assessment? The expert security team at Where To Start can help you analyze the full cyber security health of any potential target to help ensure that you avoid acquiring any serious cybersecurity issues. Contact us today at email@example.com to learn more.