The current rash of ransomware attacks should serve as a wake-up call to private equity firms to ratchet up cybersecurity due diligence efforts. The data breach affecting Yahoo Inc. (Nasdaq: YHOO) provided an earlier moment of reflection for the M&A world. The magnitude of the stolen credentials is alarming, but even more so are the steps Verizon Communications Inc. (NYSE: VZ) is taking to reassess its offer to acquire Yahoo. Given the real possibility that the $4.8 billion price tag may be renegotiated one naturally might assume the due diligence performed by Verizon was insufficient. There may be some truth to this, but the questioning and second guessing could be unwarranted.
As a middle market CIO, I have a window into the various machinations of the IT diligence process, and cybersecurity is one piece that is still maturing. The well-established diligence processes that thoroughly evaluate opportunities and reduce risk can make introducing cybersecurity into the conversation foreign and uncomfortable. Boards and companies, in general, have less of an understanding about cyber risks than they should, which leads to gaps in their overall due diligence. Although not exclusively a challenge for the middle market there are a few reasons why cybersecurity due diligence is not routine.