What really hidden in your merger & acquisition deal data?

x-icon

Originally published in IT Pro Portal

M&A activity involves understanding substantial data assets, containing both value and risk for the acquiring party.

 

The fact is that we live in a world where every company is a data company. No matter which industry your business operates in, every organisation is gathering and creating vast volumes of data which makes good data and information management vital. In the past, M&A activity was about acquiring traditional assets such as factories, real estate, brands or customer/market share. These days, data itself is becoming a critical asset too – valuable in its own right and in some cases a key asset targeted within transactions.

Of course, while the value of data is in its commercially opportunity, organisational information and data almost always contains a good amount of risk too – sensitive information poorly stored and protected can amount to a data breach waiting to happen. For this reason, the understanding of data and the risk and value it contains is critical to assess during a merger or acquisition process.

Research published on Forbes shows that an incredible 40 percent of acquiring companies discovered a cybersecurity problem during the post-acquisition integration showing that just because a deal is completed, doesn’t mean an organisation is safe against privacy problems.
 

And 53 percent of business executives said a critical cybersecurity issue had put an M&A transaction at risk. What’s more, 65 percent of those surveyed said they had experienced buyers’ remorse because of cyber security concerns after closing a deal.

The issue comes in the due diligence process. Until now, there simply have not been the tools available to look into both structured and unstructured mergers & acquisition deal data across the merged or acquired business. Take the example of Marriott which is back in the news with the story of the class action lawsuit that’s been filed by one disgruntled customer on behalf of the 30 million customers affected by their 2018 data breach.
 

Marriott acquired Starwood Hotels in 2016. Two years after the acquisition, there was a catastrophic data breach of Starwood Hotels guest reservation database because Marriott failed to discover 5 million passports details and 8 million credit card numbers during the acquisition due diligence process. Had it been able to look into all the data and identify the risky or personal information held there, it would have discovered that not only were the encryption keys were held alongside the credit card numbers, but the passports were unencrypted. If it had known this, the data could have been secured.

Even if a breach isn’t entirely catastrophic, they can result in significant costs, not to mention the reputational damage. When Yahoo! was acquired by Verizon, an undisclosed data breach was discovered during the due diligence process which knocked £350 million off the price, resulted in a £35 million fine by the U.S. Securities and Exchange Commission and an $80 million payment to unhappy shareholders.

Being able to perform comprehensive due diligence, which probes every area of the business in minute detail, is important because it stops the acquirer from raising any ‘red flags’ that may affect the terms of the deal, purchase price, or length of the sales process.

Data concerns

Research that we ran here at Exonar shows that 77 percent of IT professionals are concerned about personally identifiable information (PII) that’s hidden within their organisation’s data estate and which they therefore can’t find, or protect. And related to this, a survey from Deloitte shows 70 percent of organisations say that the protection of data assets in a company they are acquiring is more of a concern now than it was a year ago.

Our research also shows that 95 percent of IT professionals say it’s a challenge to get visibility across their organisations’ data estate, and yet only 39 percent are taking active steps to gain visibility of their data.

So what’s the solution?

Gaining visibility of the estate at scale with data discovery tools

The key to mitigating the risks in a merger or acquisition is the ability to get visibility of an organisation’s data right across their data estate. It’s important to be able to see that data in one place and at scale using an advanced data discovery tool that can find both structured and unstructured data, in on-premise or cloud repositories, revealing data is known or unknown to the organisation.

Put simply, you can’t secure what you don’t know you’ve got, so revealing the data means it can be cleaned up or locked down appropriately. This is why data discovery technology should be part of every M&A deal. Being able to find the risky, unsecured or unknown personal data during the purchase takes the jeopardy out of the process and would certainly have helped Marriott with their data management strategy and avoid the reputational damage and the fines meted out to it two years down the line from their merger.

The positive of this is that by discovering data at scale, it is possible to find the value in it too. Data as an asset has an inherent value, so getting full visibility of what’s there could affect the price of the acquisition.

For example, we have a customer in financial services using our product Exonar Reveal to gain total visibility over a data estate exceeding 160TB. They are doing this not only to find and manage risky data, but also to understand the scope and scale of valuable information they hold as an asset. By joining the dots to combine the information in highly complex ways, in a visual format, the organisation is giving technical and non-technical users the insights they need to make strategic decisions about how to commercialise its data and strengthen its competitive advantage. When used in the context of M&A deal data, this ability to extract value from data could increase the desirability of the purchase and therefore the value of the transaction.

Taking the rough with the smooth

Given this new world where every company is a data company, information and data will increasingly be a desirable asset to purchase and will feature more in M&A opportunities that arise.

Once businesses going through M&A learn how to discover and know the data at the center of a transaction, they can value the asset by understanding the value of what they’re buying, as well as the adoption of risky data that comes hidden within it. The tricky process of due diligence has just gained some groundbreaking data discovery technology to better understand the data asset and reduce risk.