Due diligence grows at acquisition targets in attempts to
prevent any security surprises
By Kim S. Nash and Ezequiel Minaya
This article is being republished as part of our daily
reproduction of WSJ.com articles that also appeared in the U.S.
print edition of The Wall Street Journal (March 5, 2018).
Automatic Data Processing Inc. deployed a team of cybersecurity,
risk management and financial-crime specialists to WorkMarket
before acquiring it in January.
The ADP team combed the software maker's technology, practices
and internal policies. It also interviewed staff about monitoring
for intrusions, training employees and performing other security
tasks. The payroll processor also hired a cybersecurity firm to do
its own evaluation.
Security problems, said ADP's chief security officer Roland
Cloutier, could kill any deal.
"If we found out data was exfiltrated, we may walk away," he
said. "We've looked at a lot of companies and only purchased a few.
Security always plays a part."
Companies are intensifying due diligence of acquisition targets
to avoid costly cybersecurity surprises, particularly when
intellectual property, such as software code or customer data drive
the deal.
Scrutiny will continue as merger and acquisition activity heats
up on expectations of extra cash from lower corporate tax rates. As
of late February, 18 transactions valued at more than $5 billion
each have been announced -- up from 10 such big deals during the
same period in each of 2017 and 2016, according to Dealogic.
Gaps in data protection, undiscovered breaches, regulatory
violations and other holes in a company's technology operations can
threaten transactions. Such problems can also decrease the value of
a deal or leave an acquirer liable for problems after a merger.
ADP investigators typically look for troublespots such as signs
of an unauthorized presence on the target's network and scant or no
evidence that employees have received security training.
No significant problems surfaced at WorkMarket, but deep study
of a target's cybersecurity helps executives forecast deal costs,
Mr. Cloutier said. ADP typically spends two to four months on the
process.
Problems can arise even years later. FedEx Corp. moved quickly
last month to secure a server that exposed data from customer
driver's licenses and passports. FedEx inherited the server when it
bought e-commerce service Bongo International in 2014.
Four or five years ago, cybersecurity due diligence consisted of
asking a few questions in a short phone call, said Evan Wolff, a
partner at Crowell & Moring LLP.
Now data compromises can diminish the value of a transaction, he
said. Suspected theft of sensitive data uncovered through due
diligence "becomes a business issue," he said.
Verizon Communications Inc. last year renegotiated an
acquisition proposal with Yahoo Inc.'s board after details emerged
about massive hacking incidents. Verizon would ultimately learn all
three billion Yahoo accounts were hit.
As a result, Verizon lowered it's proposed purchase price by
$350 million to $4.48 billion.
The company did studies to assess potential reputational harm
and future risks, said Craig Silliman, Verizon's general counsel,
speaking at a Wall Street Journal conference in December. "We said,
'We feel like we have enough clarity that we can put parameters
around the risk here and negotiate a deal that effectively
compensates us for the risk.'"
Home Depot Inc. performed cyberrisk due diligence before buying
retailer The Company Store and tool-rental firm Compact Power
Equipment Inc. in 2017, said finance chief Carol Tomé.
"Our plans are basically to integrate these companies," Ms. Tomé
said. Their operations will be moved to Home Depot's platforms and
networks, she said. "So we're closing down any little holes that
the threat actor could take advantage of."
The company has assessed cyberrisk on potential deals for the
past decade, according to a spokesman. Getting breached in 2014
elevated cybersecurity concerns among senior leaders at Home Depot,
Ms. Tomé said. Hackers stole email and payment-card information of
up to 56 million customers.
Home Depot's due diligence playbook includes penetration
testing, Ms. Tomé said. "We have a heightened sense of awareness in
this area and our due diligence is exhaustive."
Waste Management Inc. doesn't dedicate a team to cyber issues
during the diligence phase. The company instead focuses on the
later stage of moving data from the target's systems into its own,
said CFO Devina Rankin.
The company spends $100 million to $200 million a year on
garbage and recycling haulers. Legal, finance and digital groups
move data about employees at acquired companies, usually within a
week of closing the transaction. Customer data is absorbed within
one month, she said.
Acquirers sometimes find costly cybersecurity issues embedded in
contracts that a target signed with its own customers, said Buck De
Wolf, general counsel for General Electric Co.'s global research
group. GE has purchased at least 14 companies since 2015, including
several small software providers, according to its annual
reports.
Small companies hungry for sales might make onerous promises
about how they will help and what they will pay for in a data
breach related to their products, Mr. De Wolf said, speaking at
security conference in December. It can be "a Trojan Horse" when
taking on a new company, he said. Reviewing contracts helps GE
avoid these problems, he said.
Tatyana Shumsky contributed tot this article.
Write to Ezequiel Minaya at ezequiel.minaya@wsj.com
(END) Dow Jones Newswires
March 05, 2018 02:47 ET (07:47 GMT)
Copyright (c) 2018 Dow Jones & Company, Inc.
FedEx (NYSE:FDX)
Historical Stock Chart
From Apr 2024 to May 2024
FedEx (NYSE:FDX)
Historical Stock Chart
From May 2023 to May 2024