Why mitigating data risk is crucial in M&A
Data has changed the world and the promise of the fruits of large-scale data manipulation have changed the way companies do business. The transformative power of data has left very few areas of modern life untouched. But with promise comes risk, which is increasingly significant.
Barely a day passes without news of a corporate data breach or cybersecurity incident. From individuals, Fortune 500 companies to the smallest mom and pop enterprises, mitigating the risks in handling often very sensitive data, is now a daily challenge from which few are excused.
This proliferation of data is being matched by a marked increase in regulatory scrutiny. Whether it be a local state authority getting to grips with the challenges of data risk, to new legislation such as the European Union’s flagship General Data Protection Regulation (GDPR) oversight of data and the rules that govern its use are getting tougher.
The penalties for badly managing or handling data are increasingly pernicious. Businesses failing to comply with GDPR, for example, face the threat of fines of up to four per cent of their annual turnover.
GDPR is a game-changer affecting the vast majority of cross-border corporate transactions that take place around the world. Conceived in Europe, GDPR has global implications, while it has also loosened the traditional reticence local and U.S. regulators have displayed with regard to data
Newly emboldened watchdogs are going after data transgressors. Aggressive regulatory censure on data issues is now a fact of life in most jurisdictions.
Rethinking the due diligence process
It is against this backdrop that many companies looking to buy or sell assets through M&A have to rethink their approach to data. Data is fundamentally changing the way deal making works.
Companies now need to take the deepest of dives into the data security credentials of any company they target.
Depending on deal structure, an acquirer assumes the liabilities of the target and these liabilities are often difficult to unearth, particularly when it comes to data. Such risks may be lying dormant in a subsidiary business or regional division. The true extent of any risks associated with data may simply not have been found or spoken about openly.
But ignorance is not a plea that absolves an organization of wrongdoing. Whereas in the past, data risk was largely a secondary consideration in deal due diligence, it is now a question, or series of questions, that should be posed early on in negotiations. Robust buyer scrutiny should ascertain the extent of poor processes, legacy or historical issues, laying deep within an organizational structure.
Previously, many data risks were never unearthed. Warranties were viewed as the medicine to cure any data disorder. Acquirers simply factored in the cost of a data warranty as a cost of doing a deal. But the cost of warranties has recently increased exponentially, while the cover associated with those same warranties is now typically capped at levels much lower than the potential risks and costs. This leaves the full risk firmly in the hands of an acquiring company. But risk is complicated to assess.
How to tackle the data due diligence conundrum
One of the biggest challenges facing acquirers is what to do when there is an absence of detail around data management, handling and mitigation. This essentially leaves an acquirer with three options:
1. A buyer can walk away.
2. A buyer can push for the target to take on a much greater liability risk if anything is uncovered after a purchase has been made.
3. The target company can try to secure a lower purchase price.
None of these options are palatable for the parties involved in a deal making process. Targets will rarely willfully withhold information pertaining to data risk, rather, they simply won’t know.
While the onus typically falls on the shoulders of an acquirer to assess the data risks inherent in a target firm, there is an increasing demand for sellers to show their understanding of any potential issues within their business:
· As part of any pre-sale process, a seller should have a comprehensive understanding of its entire data handling abilities and the extent of any shortfalls. A seller should identify what the issues are and how they can be fixed.
· Sellers need to be open and transparent with an acquirer around data. This not only helps with data issues but securing wider trust and ultimately the final sale.
· Data is now everywhere but it’s alarming to note that some industries still do not believe it impacts them. Cries of, "We aren’t a social media company, so that’s not us," can still be heard in boardrooms around the world.
Every company is now a data company, with most firms buying, selling or bartering personal information in one form or another. The problem remains a lack of awareness, so it is incumbent on corporate leadership to drive a culture of understanding around data into every single part of the organizations they run.
Be you a buyer or seller, failure to undertake comprehensive assessments of your data ultimately leads to issues in the dealmaking process. Data management is a dynamic process that should be undertaken by both buyers and sellers: promoting internal disclosure, risk assessment and practical application of changing rules and regulations. The task is not insurmountable but the prospect of deal failure, early in the process or later when a latent breach is discovered, is real and has a discernable, measurable impact beyond the parties involved in the transaction.
The investment in your company’s data assets, and the processes and procedures around those assets is key to a healthy company and healthy M&A.