The hidden dangers of data in the M&A process

by Gareth Tranter On October 23, 2020

Blog Category: Information Security

x-icon

Originally published in Information Age

There’s no denying that mergers and acquisitions (M&As) are big business. According to Government statistics, last year M&As generated £83.4 billion for the UK economy (comprising £53.8 billion of inward investment, £20.9 billion outward investment and £8.7 billion domestic). And yet, research from KMPG shows that 83% of M&A deals hadn’t boosted shareholder returns in the process. Why?

One of the biggest issues of data in the merger and acquisition deal process is due diligence. It’s so important that acquirers know exactly what they are buying, because while a deal may look attractive on the surface, any underlying risk can change the picture.

Take the acquisition of Yahoo! by Verizon as an example. After discovering an undisclosed prior data breach during its due diligence process, the purchase price was reduced by $350 million, they were fined $35 million by the U.S. Securities and Exchange Commission, and forced to pay $80 million to disgruntled shareholders.

Being able to perform comprehensive due diligence, which probes every area of the business in minute detail, is important because it stops the acquirer from raising any ‘red flags’ that may affect the terms of the deal, purchase price, or length of the sales process.

 

But what are they looking for?

The problem with due diligence is that often it’s performed by people who don’t necessarily understand the business, or even know what they’re looking for. For example, if a lawyer doesn’t have a current understanding of the cyber security threat landscape, which is highly likely given it’s not their field of expertise, they’re probably going to default to a set of routine questioning where certain risks could be overlooked.

And while every business is only one step away from a data breach, during the M&A process, the threat increases exponentially:

  • The company being acquired could bring a cyber security weakness into the business.
  • Any redundancies could turn unhappy employees into internal terrorists, causing a malicious data breach.
  • Data privacy could be invaded if appropriate policies aren’t in place to transfer ownership of data.

In a world where every company is now a data company, privacy really matters. And just because a deal is completed, doesn’t mean an organisation is safe against privacy problems. Research published on Forbes shows that an incredible 40% of acquiring companies discovered a cyber security problem during the post-acquisition integration.

Take Marriott as a very topical example. After acquiring Starwood Hotels in 2016, it was the subject of a catastrophic data breach in 2018 because it failed to discover 5 million unencrypted passwords and 8 million credit card details during the acquisition due diligence process – even though the breach had initially started in 2014, two years before the acquisition. If it had had access to the tools to discover their data in the M&A process, and identify the risky or personal information held within it, like the encryption keys stored on the same server as the credit card numbers or the fact that passport numbers were saved unencrypted, the breach would have been avoided or at least hugely minimised. And now, besides the fines imposed by the regulators, the hotelier is now facing class action litigation from one customer on behalf of 30 million of those affected.

Our own research at Exonar shows that 77% of IT professionals are concerned about personally identifiable information (PII) that’s hidden within their organisation’s data estate, and which they therefore can’t find, or protect. So, it’s perhaps unsurprising that research from Deloitte shows 70% of organisations say that the protection of data assets in a company they are acquiring is more of a concern now than it was a year ago.
 

The Cyber Security Association says: “As a result of several issues facing the safety and privacy of sensitive company data, it is imperative to find a lasting approach to tackling cyber attacks and potential hacks of vital business data.”

But when our research also shows that 95% of IT professionals say it’s a challenge to get visibility across their organisations’ data estate, and only 39% are taking active steps to gain visibility of their data, what exactly should that ‘approach’ look like?

Data discovery tools provide visibility of the estate at scale

Specialist data discovery software is available to organisations and provides full visibility into their data estate – regardless of whether that data is based on-premise or in the cloud, stored within structured or unstructured databases, and if that data is known or unknown to the organisation. It powers good data and information management.

Data discovery tools both power and protect organisations and the people they serve by giving them visibility of their data at huge scale and in one place. It’s this kind of data discovery technology that should become a standard part of every M&A deal, and what could have saved Marriott’s bacon. Because finding unsecured and risky information in the data estates of the merging companies – particularly data the business doesn’t even know it has – ensures there are no hidden surprises once the deal has been done.

Of course, data discovery has a flipside too, because data doesn’t just pose a liability to a business – it can be an asset too. Data as an asset has an inherent value, so getting full visibility of what’s there could affect the price of the acquisition.

Take pharmaceuticals as an example. We have one client that’s been able to discover its intellectual property and evidence of ownership that was previously hidden within unstructured data in the form of emails that were buried layers deep and were over ten years old. Being able to find this information saved our client lengthy and costly legal battles, but when used in an M&A situation could significantly increase the purchase price.

Once the organisation has identified all the data within its estate, appropriate remediation actions can be taken to clean it up – whether that means taking remediation actions to move, secure or delete the data with confidence or indeed, taking no action because appropriate controls are already in place.

Integrating the data discovery tools with enforcement technologies, including document encryption, data loss prevention, access control, data remediation and content management, ensures that any risk posed by the data is minimised as much as possible. But it also significantly reduces the overall size of the combined data estate, which ultimately is going to save on storage costs in the newly merged business too.