Originally published in Information Age
There’s no denying that mergers and acquisitions (M&As) are big business. According to Government statistics, last year M&As generated £83.4 billion for the UK economy (comprising £53.8 billion of inward investment, £20.9 billion outward investment and £8.7 billion domestic). And yet, research from KMPG shows that 83% of M&A deals hadn’t boosted shareholder returns in the process. Why?
One of the biggest issues of data in the merger and acquisition deal process is due diligence. It’s so important that acquirers know exactly what they are buying, because while a deal may look attractive on the surface, any underlying risk can change the picture.
Take the acquisition of Yahoo! by Verizon as an example. After discovering an undisclosed prior data breach during its due diligence process, the purchase price was reduced by $350 million, they were fined $35 million by the U.S. Securities and Exchange Commission, and forced to pay $80 million to disgruntled shareholders.
Being able to perform comprehensive due diligence, which probes every area of the business in minute detail, is important because it stops the acquirer from raising any ‘red flags’ that may affect the terms of the deal, purchase price, or length of the sales process.
The problem with due diligence is that often it’s performed by people who don’t necessarily understand the business, or even know what they’re looking for. For example, if a lawyer doesn’t have a current understanding of the cyber security threat landscape, which is highly likely given it’s not their field of expertise, they’re probably going to default to a set of routine questioning where certain risks could be overlooked.
And while every business is only one step away from a data breach, during the M&A process, the threat increases exponentially:
In a world where every company is now a data company, privacy really matters. And just because a deal is completed, doesn’t mean an organisation is safe against privacy problems. Research published on Forbes shows that an incredible 40% of acquiring companies discovered a cyber security problem during the post-acquisition integration.
Take Marriott as a very topical example. After acquiring Starwood Hotels in 2016, it was the subject of a catastrophic data breach in 2018 because it failed to discover 5 million unencrypted passwords and 8 million credit card details during the acquisition due diligence process – even though the breach had initially started in 2014, two years before the acquisition. If it had had access to the tools to discover their data in the M&A process, and identify the risky or personal information held within it, like the encryption keys stored on the same server as the credit card numbers or the fact that passport numbers were saved unencrypted, the breach would have been avoided or at least hugely minimised. And now, besides the fines imposed by the regulators, the hotelier is now facing class action litigation from one customer on behalf of 30 million of those affected.
The Cyber Security Association says: “As a result of several issues facing the safety and privacy of sensitive company data, it is imperative to find a lasting approach to tackling cyber attacks and potential hacks of vital business data.”
But when our research also shows that 95% of IT professionals say it’s a challenge to get visibility across their organisations’ data estate, and only 39% are taking active steps to gain visibility of their data, what exactly should that ‘approach’ look like?
Specialist data discovery software is available to organisations and provides full visibility into their data estate – regardless of whether that data is based on-premise or in the cloud, stored within structured or unstructured databases, and if that data is known or unknown to the organisation. It powers good data and information management.
Data discovery tools both power and protect organisations and the people they serve by giving them visibility of their data at huge scale and in one place. It’s this kind of data discovery technology that should become a standard part of every M&A deal, and what could have saved Marriott’s bacon. Because finding unsecured and risky information in the data estates of the merging companies – particularly data the business doesn’t even know it has – ensures there are no hidden surprises once the deal has been done.
Of course, data discovery has a flipside too, because data doesn’t just pose a liability to a business – it can be an asset too. Data as an asset has an inherent value, so getting full visibility of what’s there could affect the price of the acquisition.
Take pharmaceuticals as an example. We have one client that’s been able to discover its intellectual property and evidence of ownership that was previously hidden within unstructured data in the form of emails that were buried layers deep and were over ten years old. Being able to find this information saved our client lengthy and costly legal battles, but when used in an M&A situation could significantly increase the purchase price.
Integrating the data discovery tools with enforcement technologies, including document encryption, data loss prevention, access control, data remediation and content management, ensures that any risk posed by the data is minimised as much as possible. But it also significantly reduces the overall size of the combined data estate, which ultimately is going to save on storage costs in the newly merged business too.