Merger and acquisition (M&A) deals can take years to put together, and they involve hundreds of moving parts, but it takes only one faulty element to turn a deal from a success story to a cautionary tale — especially if that element is cybersecurity.
According to one survey by Forescout Technologies, 53% of respondents reported that their organization had encountered a critical cybersecurity issue during an M&A deal that put the deal into jeopardy, and 65% of respondents experienced regret after closing a deal because of cybersecurity concerns.
In the current regulatory environment, with the passage of the GDPR and the CCPA, and with more data privacy laws in the works, cybersecurity, and data privacy have become crucial elements of pre-M&A due diligence. If an acquiring company doesn’t like what they find, they may walk away from the deal or later wish they had.
Here, let’s go over three recent M&A transactions that never got off the ground or whose deal value was severely undermined by data security issues.
Facebook Walks Away From Tiktok’s Forebear
Fortune reports that in 2016, Facebook spent months considering a possible acquisition of Musical.ly, which later became TikTok, the massively popular video app. Facebook passed on the deal because of two concerns: the app was based in China, and its predominately underage user base would likely run afoul of American laws governing child internet privacy.
After Facebook opted out, Musical.ly went on to be acquired by Beijing-based startup ByteDance for $1 billion. Today, TikTok is a runaway hit with over a billion active users, but it's grappling with the same cybersecurity issues that made Facebook walk away, and those may even threaten ByteDance's acquisition.
In November 2019, Reuters reported that ByteDance was being investigated by the Committee on Foreign Investment in the United States (CFIUS) because of national security concerns. Apparently, lawmakers were alarmed by reports from TikTok employees that their bosses in China compelled them to censor videos, including political content. There were also concerns about the security of the app’s data on U.S. users, and in December, ByteDance was hit with a class-action lawsuit in California. The suit claims that TikTok collects and stores “vast quantities” of user information without consent and then sends that data to servers in China, in violation of multiple laws.
ByteDance has attempted to address these concerns by fencing off its U.S. operations from China, but if they fail to convince CFIUS, the committee may force ByteDance to divest from its holdings of Musical.ly, effectively reversing the acquisition. It wouldn’t be the first time CFIUS has intervened in M&A deals over data privacy concerns. In recent years, lawmakers have been vigilant about policing cross-border M&A deals, especially between tech companies.
In 2017, CFIUS refused to allow China’s Ant Financial to buy MoneyGram due to worries about the security of personally identifiable data of Americans, and last year, CFIUS forced Chinese company Kunlun Tech Co Ltd to sell the gay dating app Grindr. All of these stories point to the necessity of keeping data privacy top of mind when considering an international M&A deal, especially one with China.
Verizon’s Acquisition of Yahoo Unearths a Privacy Nightmare
In 2017, Verizon acquired Yahoo for $4.48 billion, but the deal almost fell through over two data-breach scandals that came to light in the midst of negotiations.
Yahoo revealed that they had suffered two separate data breaches, which they had not made public. In the first breach, a hacker stole the personal data of at least 500 million users, including some unencrypted passwords and answers to security questions. As TechCrunch reported at the time: “With the answers to security questions, a hacker could easily jump through a number of online forms to reset users’ passwords on sites where an additional means of account verification — like two-factor authentication — is not involved.”
In the second breach (widely reported to have been carried out by a state-sponsored actor), 1 billion accounts were compromised, and again personal information and login credentials were stolen. Yahoo’s chief information security officer reported that stolen passwords were hashed using MD5, but tech insiders countered that MD5 was an outdated and insecure form of hashing that could easily be cracked to reveal the passwords.
In the end, Verizon went ahead with the acquisition of Yahoo but knocked $350 million off the purchase price. Verizon also agreed to share legal liability for the breaches with Yahoo. It was a costly inheritance, and, coupled with the PR fallout, it damaged the deal’s value in ways that will doubtlessly be felt for years.
In the wake of this scandal-plagued acquisition, the SEC issued new guidelines for cybersecurity disclosures, so neither shareholders, customers, nor acquiring companies are kept in the dark about a data breach. Nevertheless, the Verizon-Yahoo story has made mergers and acquisitions dealmakers take a closer look at cybersecurity during due diligence in order to determine whether the target company has appropriate security in place to be legally compliant.
"Why @verizon’s acquisition of @yahoo unearthed a privacy nightmare. #mergersandacquisitions #lessons"
Marriott Acquires Starwood... and a Major It Headache
In 2016, Marriott International purchased Starwood Hotels & Resorts for $13.3 billion, forming the largest hotel chain in the world. Despite initial enthusiasm for this megadeal, it has been fraught with difficulties, many stemming from problems integrating software between the two chains’ operations. Two years into the merger, the two chains still struggled to transform into a truly combined company, with some hotels reporting that the transition to a new salesforce system got in the way of sales.
Then, in 2018, Marriott revealed that Starwood had suffered a massive data breach, in which nearly 400 million guest records were exposed through a security flaw in Starwood’s reservation system. The flaw in Starwood’s system had existed since 2014, long predating Marriott’s acquisition. But when the breach was discovered in 2018, two years after the deal, Starwood’s reservation system still hadn’t been migrated to Marriott’s.
In light of this, Marriott was hit with a $123 million GDPR fine by Britain’s Information Commissioner's Office (ICO). In a statement, Britain’s information commissioner, Elizabeth Denham, said, “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
Don’t Let Data Privacy Derail Your M&A Deal
The one thing all these M&A disasters have in common is that they could have been prevented, or at least mitigated, had the companies in question known what warning signs to look for. Each of these companies (both the acquirers and the acquired companies) could have benefited from the expertise of dedicated identity-management professionals.
The right partners could have implemented cutting-edge encryption for Yahoo’s personal information, could have integrated Marriott and Starwood’s systems more quickly and could have advised TikTok on the importance of data siloing in cross-border M&As.
In the year to come, investors will surely take these lessons to heart. Even though M&A activity is predicted to be robust in 2020, it will doubtlessly be tempered by caution around cybersecurity to ensure that these issues don't prevent M&A transactions from providing a return on investment.
If your business is in the M&A market, and you’d like to make sure it doesn’t have any cybersecurity skeletons in its closet, reach out to the team at Auth0.