M&A due diligence: is it a cyber-security nightmare?

The due diligence phase in the M&A process can make or break a deal.  Before committing to a transaction, the due diligence period is there to ensure the buyer has the full picture; that they are aware of the potential risks involved and the obligations the company will need to assume post-merger. It should be conducted in the spirit of full disclosure.

The majority of the time, potential buyers of an asset need to analyze the target company’s contingent liabilities, problematic contracts, litigation risks and intellectual property issues before they can make an informed decision about the level of risk they are prepared to accept. What is often overlooked is the issue of systems due diligence, which is often just as important as financial and operational due diligence.

The importance of system due diligence in the M&A process has been thrown into the spotlight, especially with news that Telstra’s Asian subsidiary, Pacnet,  suffered security breaches just two weeks before the telco giant finalized the acquisition. Telstra executives were reportedly unaware until after the transaction closed. 

Implications of security breaches on M&A due diligence 

It is important to note there are two types of ‘leak’ when it comes to M&A. There is the intentional leak designed to boost deal premiums, influence the acquirer share price or accelerate time to completion, and there are leaks as a result of human error or cyber-crime. While increasing regulatory enforcement is helping to stop the former – according to the ‘Intralinks M&A Leaks Report’ – what is happening with the latter?

Historical data breaches and those that might take place during the M&A due diligence process as a result of cyber-attacks or human error, are not often discussed. If there is a breach of this kind however, it can do huge damage. It can lead to a deal being abandoned, for example, if security breaches are identified during due diligence or mid-transaction. 

In a global survey, ‘Cyber Security in M&A’ conducted by international law firm, Freshfields Bruckhaus Deringer, the results showed that ‘83 percent of the respondents believe a deal could be abandoned if cyber security breaches are identified during due diligence or mid transaction‘.  The survey also revealed that ‘78 percent of respondents believe cyber security is not analyzed in great depth or specifically quantified as part of the M&A due diligence process’. 

Data shared as part of the due diligence process is the keystone of any transaction. Any security breach could expose the seller’s most valuable content, some of which may be unpatented intellectual property. Failure to identify and address data privacy and security issues adequately during the due diligence process can result in adverse consequences such as potential lawsuits, fines and suspensions for all involved. Legal complications will further arise for the acquirer in the event the security breach was exposed post acquisition. 

Mandatory Reporting – First step to building a more secure environment?

So, is anything being done from a legal perspective to ensure enforcements are in place to incentivize businesses to keep confidential information as secure as possible?  

There have been moves in this direction among some jurisdictions across the APAC region to introduce mandatory reporting, which would have implications for the M&A due diligence process. Governments in certain countries are beginning to realize the need for such laws to be passed. 

Singapore and Hong Kong – two of the region’s financial services hubs – have issued directions to their authorized institutions, highlighting the increasing urgency to address cyber security risks, as this could have a major impact on their status as a global financial hub.  

The Singapore government is in favor of mandatory disclosure, and is looking at revising the existing Computer Misuse and Cybersecurity Act   since the nature of online crime has evolved. Recently, the government had fined four companies  – and issued warnings to another seven organizations – for breaching data protection obligations under the Personal Data Protection Act (PDPA).    

The Singapore government is also looking into tabling a new Cybersecurity Bill   aiming to strengthen laws against online crime in Parliament in 2017, mandating operators of Singapore’s critical information infrastructure to take proactive steps to secure the country’s information infrastructure systems and report on cyber incidents. 

However, what remains unclear is whether private or public companies that are not ‘operators of Singapore’s critical information infrastructure’   will need to adhere to this law in the event they suffer from a data breach due to a cyber-attack. 

In Hong Kong, the government is taking a different approach to reporting.  While mandatory reporting is not required,   voluntary reporting is encouraged. Currently, the Office of Privacy Commissioner for Personal Data is reviewing Hong Kong’s 20-year data protection law   – which is currently being implemented – to harmonize the law with Europe’s pending umbrella data privacy regulation – the General Data Protection Regulation (GDPR). 

Meanwhile, in Australia, mandatory reporting laws are in the works.   Earlier this year, the government introduced a law where businesses with a turnover of over AUD3million – and these are both domestic 


Richard Anstey is the Chief Technology Officer at Intralinks