M&A due diligence on the rise as acquirers seek to offset cyber risk

02 September 2016 Consultancy.uk

M&A activity remains at all-time highs, with PE firms continuing to leverage their dry powder to pick up firms across the globe. Firms are, however, becoming ever more digital, and as a consequence due diligence has started to focus more and more on identifying cyber security risks related to targets – as poor cyber defences have become a major concern for acquirers. A new report finds that compliance problems are one of the major drivers for the need for a thorough due diligence process, with only 40% very satisfied that their team are thorough and expert enough to uncover potential problems.

Costs related to cyber security are rising rapidly. As more and more companies invest in digital transformations, and as more and more of companies’ operations are digitalised, the number of vectors from which digital adversaries can mount attacks is on the rise. Adversaries are also becoming more sophisticated, sometimes innovating faster than the defences of companies can be erected and upheld – the human factor too remains an ever present risk, with social engineering remaining a prominent issue.

Recent analysis of the costs finds that the average cost for a data breach to a large company stood at $3.8 million in 2015, up 7.6% on the year previous. The number of daily attacks, many of which are thwarted, comes in at around 500,000, while the total global costs have been estimated by McAfee at up to $400 billion per year. Avoiding breaches, therefore, has become an ever more pressing issue for companies.

Cyber security procedures

While integrated contractors and partners form two risk vectors for companies that have their own ship in order, the addition of a recently acquired company to the firm’s network, or, in the case of PE, to the PE firm’s liability, is another area of possible concern. In a new report from West Monroe, titled ‘Testing the Defences: Cyber Security and M&A’, the consultancy firm considers the changing behaviour surrounding cyber security considerations have in the due diligence process for deals.

The research is based on a survey of 30 senior executives at corporates and private equity firms with a large number of M&A projects. Two-thirds of respondents are from large cap companies, while 90% have a security policy/framework in place. The majority of companies (60%) leverages in-house expertise, while 40% hires in expertise from external advisors and experts.

Importance of cyber security due diligence and its rise

The survey finds that cyber security has grown in importance over the past two years, 77% saying that its importance has grown significantly, while 23% say that it has increased somewhat. As it stands, 80% of respondents say that due diligence for a deal related to possible cyber security is highly important, with 20% saying it is somewhat important.

West Monroe Managing Director Matt Sondag says, “Acquirers have become much better-informed of late about the risks of inadequate cybersecurity. When a data breach lands on the front page of CNN.com or The Wall Street Journal, companies start to pay closer attention to the issue. In the last 18 to 24 months, we have really started to see the importance of cybersecurity resonate with our clients.”

The researchers also sought to identify what respondents believed to be the top two concerns regarding cyber security at their respective firms. Of all concerns signified by the research, the ‘cost of correcting existing problems’ was cited as the most often sought after concern by respondents, at 50%. This is followed by the ‘potential complications for post-merger integration’, cited by 43% of respondents. 37% respondents also said that, among their top two concerns, are attempted to find out how often the target has already been compromised by assailants, as cited by 37% of respondents. 37% cited 'threats to customer data' as a concern, while 33% cited 'threats to business data'.

Common and important types of cybersecurity

The respondents were also asked about the most common and important types of cybersecurity issues discovered at the targets, as well as their relative importance. The top most uncovered issues are 'compliance problems', which, given the increased surveillance of regulators following large scale events in recent years, can result in hefty fines and penalties – the due diligence process takes the issue seriously, with 30% citing it as their top priority. The 'lack of a comprehensive data security architecture' was the second most commonly identified issue, cited by 40% of respondents, followed by 'vulnerability from insider threats' – they are cited as the most typical issue by 13% and 10% of respondents respectively. Two challenges cited as important regarding the deal process are companies that 'lack a data security team', cited as the most important by 17% of respondents and 'weak encryption/security of vendors', as mentioned by 13%.

Quality of due diligence process

The research also asks respondents about the satisfaction of the due diligence process surrounding recent deals. Respondents are generally satisfied, with 40% saying that they are highly satisfied and 57% somewhat satisfied. When asked to identify up to two areas of dissatisfaction, the largest dissatisfaction found is not enough time devoted to the process, at 39%, followed by not enough qualified people being involved in the process, at 32%.

The target itself is found to be an issue in 29% of the cases, in so far as there was a lack of cooperation or knowledge on their part. A lack of thoroughness, through which post deal problems arose, was cited by 29%, while inadequate preparation of the part on the acquirer was cited as an issue by 25% of respondents.

Special protections important to mitigation

The threat of post-deal problems, as well as a lack of cooperation in some instances, has prompted acquirers to implement special protections to mitigate possible risks related to cybersecurity in dealmaking. When asked what two processes are most often implemented to offset downsides, the top ranked process is 'representations & warranty insurance', as cited by 63% of respondents, followed by 'specific closing conditions', highlighted by 53% of respondents. 'Purchase price adjustments', to factor in costs related to shoring up defences, are cited by 43% of respondents, while 'special indemnities and holdbacks' are cited by 27% and 13% respectively.

According to the report’s authors, “The reality of the modern business environment is that every sector has become vulnerable to cybersecurity problems. Virtually all acquirers must implement a rigorous diligence process when considering M&A targets. The nature of cyber threats is also changing constantly, requiring a nimble approach to due diligence. As security concerns evolve, make sure that your diligence procedures evolve with them.”

×

8 tips for successfully buying or selling a distressed business

18 April 2019 Consultancy.uk

Embarking on the sale of a business is one of the most challenging experiences a management team can undertake. Even serial dealmakers acknowledge that the transaction process can be gruelling, exposing management to a level of scrutiny and challenge through due diligence that can be distinctly uncomfortable.

So, to embark on a sale process when a business is in distress is twice as challenging. While management is urgently trying to keep the business afloat, they are simultaneously required to prepare it for scrutiny by potential acquirers. Tim Wainwright, an experienced Transactions Partner with Eight Advisory, says that this dual requirement means sellers of distressed businesses must focus on presenting their business in a way that supports buyers in identifying value, whilst simultaneously being open about the causes of distress. 

According to Wainwright, sellers of distressed businesses should focus on eight key aspects to ensure they are as well prepared as possible:

  • Cash: In a distressed situation cash truly is king. Accurate forecasting and day-by-day cash balances are often required to ensure any buyer is confident that scarce cash reserves are under proper control. 
  • Equity story and turnaround plan: Any buyer is going to want to understand the proposed turnaround strategy: how is the business going to enact its recovery and what value can be created that means the distressed business is worth saving? Clear presentation of this strategy is essential.
  • The business model: Clear demonstration of how the business model generates cash is required, with analysis that shows how financial performance will respond to key changes – whether these are positive improvements (e.g., increases in revenue) or emerging risks that further damage the business.  Demonstrating the business is resilient enough to cope with these changes can go a long way to assuring investors there is a viable future.
  • Management team: As outlined above, this is a challenging process. The management team are in it together and need to be consistent in presenting the turnaround. Above all, the team needs to be open about the underlying causes that resulted in the distressed situation arising.  A defensive management team who fail to acknowledge root causes of distress are unlikely to resolve the situation.

8 tips for successfully buying or selling a distressed business

  • Financing: More than in any traditional transaction, distressed businesses need to understand the impact on working capital. The distressed situation frequently results in costs rising as credit insurance becomes more difficult to obtain or as customers and suppliers reduce credit. Understanding how these unwind will be important to the potential investors.
  • Employees: Any restructuring programme can be difficult for employees. Maintaining open communications and respecting the need for consultation is the basic requirement. In successful turnarounds, employees are often deeply engaged in designing and developing solutions. Demonstrating a supportive, flexible employee base can often support the sale process.
  • Structuring: Understanding how to structure the business for the proposed acquisition can add significant value. Where possible, asset sales may be preferred, enabling buyers to move forward with limited liabilities. However, impacts on customers, employees and other stakeholders need to be considered.
  • Off balance sheet assets: In the course of selling a distressed business, additional attention is often given to communicating the value of items that may not be fully valued in the financial statements. Brands, intellectual property and historic tax losses are all examples of items that may be of significant value to a purchaser. Highlighting these aspects can make an acquisition more appealing.

“These eight focus areas can help to sell a distressed business and are important in reaching a successful outcome, but it should be noted that it will remain a challenging process,” Wainwright explains. 

With recent studies indicating that the valuation of distressed business is trending north. With increased appetite from buyers who are accustomed to taking on these situations, it is likely that more distressed deals will be seen in the coming months. “Preparing management teams as best as possible for delivering these will be key to ensuring these businesses can pass on to new owners who can hopefully drive the restructuring required to see these succeed,” Wainwright added.