Don’t Acquire a Company Until You Evaluate Its Data Security
Extract from an article by Chirantan Chatterjee and D. Daniel Sokol as published by Harvard Business Review
In any transaction between an acquiring company and a target company (seller), there is asymmetric information about the target’s quality. While managers have long understood this concept, recent events shed light on an emerging nuance in M&A — that of the data lemon. That is, a target’s quality may be linked to the strength of its cybersecurity and its compliance with data privacy regulation. When an acquirer does not protect itself against a data lemon and seek sufficient information about the target’s data privacy and security compliance, the acquirer may be left with a data lemon — a security breach, for example — and resulting government penalties, along with brand damage and loss of trust.
So what to do about data lemons? You can simply make the deal anyway, especially if the value created by the deal outweighs the risks. Or you can take the Verizon path and reduce the valuation post-acquisition. We propose a third option: due diligence not just on the financials of the target firm, but also its regulatory vulnerabilities during the M&A discussion process. The idea is to identify potential data breaches and cybersecurity problems before they become your problem.
- An Abridged Look at the Business of eDiscovery: A Short List of eDiscovery Investors
- An Abridged Look at the Business of eDiscovery: Mergers, Acquisitions, and Investments