Yahoo’s Titanic Data Breach Highlights Risk to M&A
Yahoo (YHOO) said that a “state-sponsored” attacker had obtained data including user names, email accounts, hashed passwords (not in plaintext), telephone numbers, and street addresses, yet seemingly no financial information, for at least 500 million customers. The company said it believed the theft by a suspected “state-sponsored actor” occurred in late 2014 and that there was “no evidence that the state-sponsored actor is currently in Yahoo’s network.”
Get Data Sheet, Fortune’s technology newsletter.
Cybersecurity has grown to become a prime concern among businesses engaged in mergers and acquisitions because of the possibility they could derail the deals. A number of law, consulting, and computer security firms have introduced IT risk checkups for this very purpose.
Interest began picking up about a few years ago, industry experts have told Fortune, especially after the infamous breaches at retailer Target (TGT), health insurer Anthem (ANTM), and J.P. Morgan (JPM).
More often than not, cybersecurity snafus merely delay deals rather than severing ties entirely, according to a recent survey conducted by Mergermarket, financial news service, on behalf of West Monroe Partners, a Chicago-based consulting firm. Of 30 executives involved in M&A who were surveyed, roughly a quarter—23%—said they had walked away from a deal due to security issues, which could include compromised networks, data breaches, or poor compliance practices.
It’s hard to make any predictions about Yahoo based on these statistics alone since Yahoo’s case is exceptional, considering its huge size and its high-profile disclosure amid its deal-making with Verizon. Experts advise that purchasing companies request cybersecurity reviews of targets prior to sale.
Acquirers commonly discover computer network problems after the fact: 40% of the respondents said they had found issues after deals had closed.
For more on the Yahoo data breach, watch:
Pre-deal cybersecurity checkups typically take up to 10 people about two weeks to complete, depending on the size of the organization, said Sean Curran, director of security and infrastructure at West Monroe. These evaluations tend to focus on security management processes, rather than, say, determining the number of vulnerable computer servers from unpatched software bugs, which can vary depending on timing, he said.
Nearly half of the Mergermarket survey’s respondents—47%—said that they use pre-M&A reviews to “plan for fixes,” presumably with the intention of closing the deals. A third of them said they use the information provided to decide whether to proceed with deals, and a fifth of them said they use evaluations as a pretext to renegotiate prices.
In an interview earlier this year, Brian Finch, a partner at the law firm Pillsbury Winthrop Shaw Pittman, compared the impact of cybersecurity threats on M&A deals today to environmental factors in decades past. “Companies became aware of environmental liability and pollution concerns in the ’60s and ’70s,” he said, mentioning the need to check for ground water contamination and other issues affecting land. Now businesses are realizing the importance of IT sanitation. “This kind of investigating and due diligence is absolutely necessary to make sure a deal is structured properly and valued properly.”
“To use an environmental analogy,” Finch continued, “you could easily discover cyber-toxic companies, and that would lead to nobody wanting to acquire them.”
Reporters, such as Fortune’s Dan Primack, have questioned whether Yahoo’s present crisis could affect the status of its $4.8 billion acquisition by Verizon. Others, like Fortune’s Jeff John Roberts, have pointed out that the delay in notification could cause legal trouble for the portal and its purchaser.
“Twenty-four months ago, the concept of cybersecurity wasn’t on the agenda in the board room and therefore didn’t pay as big role from an M&A perspective,” said Matt Sondag, managing director of M&A at West Monroe. That’s now changed.