M&A tip: how to avoid acquiring a “data lemon”

Insurance companies or brokerages looking to acquire another company should perform due diligence not just on the financials of the target firm, but also its regulatory vulnerabilities during the M&A process.

“The idea is to identify potential data breaches and cyber security problems before they become your problem,” said the blog Don’t Acquire a Company Until You Evaluate Its Data Security, published by Harvard Business Review.

Identifying these problems can help avoid acquiring a “data lemon” – a buyer that does not know the quality of a product being offered by a seller (target company). For example, when Marriott International acquired Starwood in 2016 for $13.6 billion, neither company was aware of a cyberattack on Starwood’s reservation system that dated back to 2014. The breach, which exposed the sensitive personal data of nearly 500 million Starwood customers, is a perfect example of a “data lemon.”

In any transaction between an acquirer and a seller, there is asymmetric information about the target’s quality. “While managers have long understood this concept, recent events shed light on an emerging nuance in M&A — that of the data lemon. That is, a target’s quality may be linked to the strength of its cybersecurity and its compliance with data privacy regulation,” note the blog authors, Chirantan Chatterjee and D. Daniel Sokol.

When an acquirer does not protect itself by seeking sufficient information about the target’s data privacy and security compliance, the acquirer may be left with a data lemon – a security breach, for example – and resultant government penalties. Not to mention brand damage and loss of trust.

Marriott isn’t the only company in this situation, the authors said. In 2017, Verizon discounted its original $4.8 billion purchase price of Yahoo by $350 million after it learned – post-acquisition – of the latter’s data breach exposures. Similarly, in April 2016, Abbott announced the acquisition of St. Jude Medical, a medical device manufacturer based in Minnesota, only to learn of a hacking risk in 500,000 of St. Jude’s pacemakers a year later.

So, what to do about data lemons? A purchaser can make the deal anyway, especially if the value created by the deal outweighs the risks. Or it can take the Verizon path and reduce the valuation post-acquisition.

There is also a third option: focus not only on the financials of the target firm, but also its regulatory vulnerabilities during the M&A discussion process. For example, the acquirer would investigate the seller’s past data breaches and require disclosure of data-related audits and any pending investigations worldwide. The acquiring firm would also conduct a review of the target’s processes and procedures regarding information security, like acceptable use of data, data classification and data handling.

What if some risk is discovered? Then, the acquirer should engage in a more intense audit of the target firm’s policies. For example, does the target adhere to any sort of data standards or certifications? Finally, due diligence should also include a review of the data privacy requirements in third party contracts.

Sometimes there is even “information spillage” – the unintended release of sensitive data – when documents change hands between acquirer and seller. “Both the target and acquiring firm are particularly vulnerable to attack by hackers during the M&A due diligence process, sometimes via a hack of third parties such as banks, law firms, accounting firms, or third-party vendors involved in M&A,” the authors said. “It’s important to increase the security of such information and review the practices of third parties to reduce such risk.”

If all the steps taken and you still acquire a “data lemon,” it’s essential to set up an incident response strategy to address both legal/regulatory or customer-facing risks. Such a strategy needs to be quick and decisive and the board must be brought in. Management of public relations and outreach to policymakers will have to be transparent. Lastly, the acquiring firm needs to review the practices that lead to the breach and identify measures to improve the data privacy compliance program going forward.