Securing Your Merger: Managing Cyber Deal Risk
Cybersecurity experts Philip Lewis and Justin Daniels discuss M&A cyber risk on the "She Said Privacy/He Said Security" podcast
Cybersecurity presents a constantly evolving challenge to dealmakers looking to invest and exit successfully. Ransomware and data breaches can cause deal value to evaporate faster than yesterday’s social media post.
Philip Lewis, a partner at Fulcrum Equity Partners, and Justin Daniels, corporate M&A and cyber counsel for Baker Donelson, recently discussed managing cyber risk on the “She Said Privacy/He Said Security” podcast, which Justin hosts with his wife, Jodi Daniels. Below is an edited version of the conversation.
This section of the report originally appeared in Middle Market Executive’s Spring 2022 issue. Read the full story in the archive.
JUSTIN DANIELS: Philip, how has cybersecurity and privacy changed how you evaluate deal risk?
PHILIP LEWIS: I think it’s a constantly evolving topic. Fifteen years ago, I don’t think there was a lot of thought put into it. At this point, it is at the forefront of your mind in any transaction you’re looking at. Now on every deal, you are asking questions like: What does your perimeter security look like? What is your mobile device management? Do you use multifactor authentication? I think the level of diligence you have to do and the number of questions you ask on the front end to make sure that you don’t end up in a precarious situation has really evolved, especially over the last two years.
JD: As you go through the diligence, how can cybersecurity impact the deal?
PL: I’d say the biggest issue could be delaying the deal. Although I have not seen it kill a deal yet, I have seen a requirement to make necessary security investments on Day One post-close and making sure the company is on board with that expenditure. I think the other way it could evolve is assessing the ongoing liability if a company has had a breach in the past.
JD: How can it impact the rate of return on an investment?
PL: Worst case is it stops a deal. A lot of times when you sell a company, you’re going to have to get some sort of escrow put into place that is a percentage of the transaction. If you have cyber issues or past incidents, the holdback could be much larger and held back for a longer period of time. Another issue is the exit can result in a much lower purchase price because the buyer has to spend a lot of cash to fix all the cyber problems of the company. The other risk is reps and warranties insurance. Lackluster cyber hygiene might cause the insurer to carve cyber risk out of the policy.
JD: I would add that getting reps and warranties insurance to cover cyber in the current environment is difficult and expensive, even if cyber hygiene is good. The insurance industry has been decimated by all the claims surrounding ransomware and business email compromise leading to wire fraud.
Related content: Cyberattacks Pose Greatest Threat to Middle-Market Businesses
JD: When it comes to managing cyber deal risk and looking to get full value for your exit, is an ounce of prevention worth a pound of cure?
PL: Yes, but you are never done. I think a lot of it is: Are you doing the right things? Are you taking the right steps? Are you putting cyber at the forefront of your business? It’s one of those things that can always be better. The challenge is the bad guys can always figure out a way in. However, if you have taken the appropriate steps, then an investor has more comfort looking at your business.
JD: What type of specific investments have you seen made in portfolio companies to manage cyber risk post-close?
PL: A big lesson we have learned is you have to have the security function reporting directly to the CEO or COO, not the CTO. The CTO’s job is to deliver technology in the best, most efficient way possible, so that the salespeople can go out and sell. The security person’s job is to make sure your infrastructure is secure and that the software that’s being put out is secure. Sometimes those are not in lockstep. You need to make sure that the security individual is reporting independently of the CTO. It can provide unbiased feedback to the CEO. At that point, it becomes a business decision. We also make sure that multifactor authentication is in place.
A big lesson we have learned is you have to have the security function reporting directly to the CEO or COO, not the CTO.
Fulcrum Equity Partners
JD: Where are we at with deal document reps and warranties, where it specifically says that the seller will have multifactor authentication, end-point detection and other specific cyber measures?
PL: It’s coming. I’m not sure it’s 100% there yet. We are putting that in place and I think you’re going to start seeing it more and more often.
JD: What do you like to see in your due diligence process when it comes to portfolio companies managing cyber and privacy risk?
PL: I think one of the biggest items is an attitude toward privacy and security. I have to say that Service Organization Control 2 (SOC2) compliance does not automatically equal great security. You could have that put into place, but at the end of the day, if you’re not actually following everything in there routinely, all you’ve done is spent a bunch of money on a great checklist of things you have not been maintaining. We are actively making sure that our employees are aware of the vulnerabilities out there versus doing a bunch of forms that check a box. A critical aspect of security awareness training is that you make sure that it’s not optional to complete, and that employees do it every month. And if they don’t, they’re no longer going to work at the company.
Related content: Post-Transaction Integration: It’s All About the People
JD: Philip, what are your final thoughts on this topic?
PL: From our investor perspective, cyber is now a primary consideration in all our deals, from due diligence to the contract to post-deal integration. It is also critically important that a company carve out the security function and make it independent of the CIO and IT function. And one last time: multifactor authentication.
JD: From my perspective, the value of data is driving many deals these days. Companies are also migrating to the cloud and relying exclusively on computer technology. Lastly, cyber regulations like the ones just announced by the SEC will continue to expand the cyber and privacy regulatory landscape. As a result, cyber risk will only become greater and more resources will need to be devoted to managing it. I think the biggest takeaway from our conversation is that cybersecurity needs to be part of a company culture, period.