Written by Nick Pointon, Head of M&A at SQS
In June 2015, US security regulators investigated a group of hackers, known as FIN4. The group were suspected of breaking into corporate email accounts of 100 listed companies and stealing information in relation to mergers for financial gain. Hackers are always on the lookout for opportunities to exploit vulnerable IT systems during mergers or acquisitions.
Starwood Group, an American hotel and leisure company, was the victim of a data breach in 2015 caused by malware infected point-of-sale terminals, shortly after the acquisition by Marriott Corporation had been announced. As a result of the breach, hackers gained access to customer names, payment card numbers, security codes, and expiration dates. It was later questioned whether IT systems were appropriately assessed before the acquisition was made public knowledge.
There is so much going on in the process of an acquisition or a business merger that IT systems are often neglected. This creates vulnerabilities, potentially exposing sensitive information which cyber criminals can exploit. IT teams must focus their attention on ensuring the security of existing systems before a company even considers undergoing an acquisition or merger.
Pre-acquisition technical due diligence
Technical due diligence refers to the period during which IT systems are inspected, reviewed and assessed for areas of vulnerability that need to be addressed. Organisations looking to be acquired or merge, should begin a process of technical due diligence internally before seeking interested parties. By carrying out such an internal technical due diligence, the company being acquired can be satisfied its systems are robust, secure and fit for purpose, and the acquirer’s due diligence will not expose any issues that may jeopardise the deal.
In addition to the security vulnerabilities, many organisations carry open-source licensing risks. Open-source modules or snippets of code are commonly incorporated by developers into software to aid rapid development. Although this open-source code is freely downloadable, it is normally subject to an open-source licence, and this licence places restrictions and obligations on what can be done with this code. Companies often have no idea what open-source code is used in their systems and any breach of licensing restrictions can be costly to fix and endanger the deal. So the internal technical due diligence should include an assessment of open-source licensing risk, allowing the company to resolve any problems in advance.
By conducting thorough technical due diligence before embarking on the process of an acquisition, organisations will have a greater appeal to interested parties and can ensure the deal will proceed smoothly. Those looking to acquire will have a clearer understanding of the technical assets for sale, with the added reassurance there won’t be any unpleasant surprises.
Yahoo recently felt the ramifications of neglecting IT systems in anticipation of the Verizon acquisition, after it was revealed earlier this year that 500 million customer email accounts were hacked. This now has the potential to affect the final deal – Verizon have issued a statement stating that the company is looking to alter the terms of the deal, as it felt Yahoo wasn’t completely transparent about the breach. This is a prime example of technical due diligence that hasn’t been thoroughly conducted and proves issues unearthed during the closing stages of an acquisition have the potential to affect the final sale price.
Once an acquisition has been agreed in principle, senior stakeholders must then address which systems are being continued and which should be decommissioned. A skilled project manager must be chosen to manage and monitor the implementation of the systems; ensuring decisions impacting the seamless integration of the acquisition are made on time.
Companies often underestimate the amount of work that goes into managing the process of an acquisition. This can result in the appointment of a project manager without the necessary skills needed to efficiently run the entire process. All too often it is assumed acquisitions only affect the financial and legal teams, when in reality it affects every department. An individual is needed with the skills to communicate across all departments and at all levels.
Post-acquisition finishing touches
The sale is agreed and personnel have merged, but it doesn’t stop there. Post-acquisition integration is a separate project in its own right and requires close engagement from senior stakeholders. Merging IT systems across companies can affect the smooth running of daily operations, exposing flaws in acquired systems likely to cause system downtime. By bringing third-party experts on-board, companies facing both pre- and post-acquisition challenges can be kept safe in the knowledge that IT systems are maintained and sensitive data is kept safe.
No matter how big or small the company or the number of employees, acquisitions are always a major upheaval. In order to allow the organisation to continue to operate efficiently both during and after the deal, it is vital the entire integration is properly planned and effectively executed. This planning starts during due diligence by carrying out a thorough assessment of the technology and systems. And the process continues with the execution of the integration project, which requires a skilled project manager supported by engaged stakeholders and effective communication at all levels in the new organisation.