Data breaches are a constant in today’s headlines, but in recent years the risk has been front and centre of some of the most significant M&A deals.
In 2017, Verizon discounted its acquisition price by $350m when Yahoo belatedly disclosed that it experienced several massive breaches. And in November 2018, hotel Marriott publicly disclosed that Starwood’s guest reservation database — containing hundreds of millions of personal records — had been compromised since 2014, prior to the Marriott acquisition.
These incidents — and countless others — raise critical questions. How should Boards be thinking about cyber risk in the acquisition process? What steps should they take to address this risk prior to the acquisition?
First, Boards must understand that cyber risk can have a significant impact not only on the valuation of a deal, but on future legal liability associated with the transaction. From a Board’s perspective, the fallout from the Yahoo breach is significant — multiple securities class action lawsuits, D&O suits, and recommendations for Board removal. The Board’s responsibility in overseeing cyber risk management has never been more crucial.
How can…
