When Marriott International obtained Starwood in 2016 for $13.6 billion, neither company become aware of a cyber-assault on Starwood’s reservation gadget that dated again to 2014. The breach, which exposed the sensitive personal records of nearly 500 million Starwood customers, is a great example of what we call an “information lemon” — a concept drawn from economist George Akerlof’s paintings on statistics asymmetries and the “lemons” trouble. Akerlof’s insight changed into that a client does no longer realize the high-quality of a product being offered by using a seller, so the buyer risks buying a lemon — think about vehicles.
We are extending that concept to M&A hobby. In any transaction between an acquiring organization and a goal organization (seller), there is asymmetric statistics about the target’s satisfactory. While managers have long understood this concept, latest activities shed mild on an emerging nuance in M&A — that of the records lemon. That is, a target’s fine can be linked to the strength of its cybersecurity and its compliance with information privateness regulation. When an acquirer does not guard itself towards a facts lemon and are looking for enough facts about the target’s facts privacy and safety compliance, the acquirer may be left with an information lemon — a security breach, as an instance — and ensuing government penalties, in conjunction with emblem damage and lack of trust. That’s the situation Marriott is now managing. The employer faces $912 million in GDPR fines inside the EU and its inventory fee has taken a success. The hassle doesn’t stop there. According to Bloomberg, “the employer could face up to $1 billion in regulatory fines and litigation expenses.”
Marriott isn’t the handiest company in this example. In 2017, Verizon discounted its authentic $4.8 billion buy fee of Yahoo by using $350 million after it discovered — publish-acquisition — of the latter’s records breach exposures. Similarly, in April 2016, Abbott announced the purchase of St. Jude Medical, a scientific tool producer primarily based in Minnesota, handiest to the research of a hacking chance in 500,000of St. Jude’s pacemakers a year later in 2017. Abbott ending up recalling the devices. Daiichi Sankyo, a Japanese company, acquired, Ranbaxy an Indian pharmaceutical producer. Daiichi Sankyo later went to courts alleging that the goal firm misrepresented FDA protection compliance information to Daiichi(among different troubles).
So what to do approximately data lemons? You can genuinely make the deal anyway, in particular, if the cost created by way of the deal outweighs the dangers. Or you can take the Verizon direction and reduce the valuation publish-acquisition. We suggest a third choice: due diligence no longer simply at the financials of the goal firm, but also its regulatory vulnerabilities all through the M&A discussion method. The concept is to become aware of ability records breaches and cybersecurity problems earlier than they end up your trouble.
Finding the Problem Before You Own It
In this method, we borrow from installed compliance requirements intended to guard in opposition to bribery and environmental issues. The acquirer would inspect the target company’s past statistics breaches and require disclosure of earlier facts-associated audits and any pending investigations international. The obtaining firm could also behavior evaluation of the target’s techniques and methods regarding records security — like applicable use of records, information category, and records managing. The acquirer must also examine goal firm compliance with cyber safety frameworks from NIST, CIS, ISO, and the AICPA.
If some hazard is discovered at some point of the due diligence, an acquirer must interact in a more intense audit of the target company’s policies. For example, does the target adheres to any sort of records standards or certifications? (Examples consist of Graham Leach Bliley and HIPAA.) Finally, due diligence needs to also encompass an assessment of the information-privateness requirements in 0.33-party contracts.
Also, the word that documents that change hands between the goal and obtaining companies can themselves come to be dangers for “facts spillage” — the unintended launch of sensitive records. Hence each the goal and acquiring company are in particular vulnerable to assault by using hackers at some stage in the M&A due diligence method, now and again via a hack of third parties consisting of banks, regulation firms, accounting companies, or 0.33-celebration providers worried in M&A. It’s vital to growth the safety of such facts and assess the practices of third events to lessen such chance.