Romano Herrie (Fox-IT) about cyber security and M&A

You can’t open a newspaper these days without seeing some reference to cyber crime: foreign hackers interfering with election results, companies paralysed by ransomware and data on thousands of individuals stolen and sold on. So it’s especially baffling that the evaluation of cyber security still isn’t a standard element in a due diligence process, says Romano Herrie of Fox-IT, the well-known Dutch computer and network security company. “Cyber crime has become a major risk factor. Buyers therefore want to know if the company they’re about to acquire is fully secured.”

Text Michiel Rohlof Photos Sicco van Grieken

In July 2017, Paypal, owner of the eponymous online payment system, acquired the Canadian utility network operator TIO Networks for 240 million dollars. Less than four months later, a huge data breach came to light in the new subsidiary, compromising information relating to some 1.6 million clients. In what was clearly a major setback, PayPal was forced to suspend TIO Networks’ operations. Earlier in the year, Verizon, another tech giant, managed to get its acquisition of Yahoo reduced by 350 million dollars after Yahoo discovered it had sustained two major data leaks between signing and closing the deal. So the impact of cyber crime can be huge. Yet despite that, it’s given very little attention in the due diligence phase. Romano Herrie, who’s been with Fox-IT since September and was previously a banker working on M&A transactions, saw this for himself during the countless M&A processes he supervised. “There was little or no focus on cyber security in the due diligence phase, yet it’s a very real risk for all companies,” Herrie confirms. “Cyber crime has become a highly lucrative industry in recent years: companies are now confronted by hackers with an increasingly sophisticated arsenal at their disposal.”

Cyber crime has become a major risk factor, so it’s only logical to include data security in the due diligence survey

Public pressure
The General Data Protection Regulation (GDPR), which recently came into force, further underlines the need to secure personal data and prevent data breaches. “Public pressure to keep customer details safe is growing, and companies are being subjected to increased scrutiny. Cyber crime has become a major risk factor, so it’s only logical to include data security in the due diligence survey,” Herrie says.

Buyers are obviously anxious to know that the new acquisitions they are bringing on board are safe. “They need to ask themselves how vulnerable a potential acquisition might be,” he continues. “Where are the risks, what might hackers be especially keen to get their hands on, what could they make money from? Some businesses might already have been targeted without realising it. This is why buyers ask for insight into the company they are thinking of acquiring, and access to their IT systems may be necessary to gain that insight. An ‘open source’ investigation doesn’t require the cooperation of the company being screened. Yet a survey of this kind, which maps its digital footprint, can produce useful insights. It can, for instance, indicate its potential vulnerability to corporate espionage, the insecurity of the personal data it holds or its susceptibility to operational risks, a factor that is often overlooked. A manufacturing company, for instance, may have production lines that are controlled by outdated, poorly secured software. This carries a high risk of software contamination, which could easily bring the entire production process to a standstill. An incident of this kind would result in enormous disruption, with potentially major financial losses.”

At least a year
Herrie can assist sellers in providing more clarity by helping them compile a vendor due diligence. “This shows potential buyers that the seller has nothing to hide. But of course, you’ve got to start it in good time. You should reckon on at least a year to get your technology, processes and corporate conduct fully in line. That means you mustn’t simply start when the sales process is being prepared; you need to take adequate measures well before that. Prevention is always better than cure – as well as generally being far more cost-effective.”

Then there’s the due diligence process itself, during which company data is shared with many different parties. “Sensitive information such as financial projections, business plans and inside information suddenly becomes visible almost overnight to many different parties, each of which has advisers of its own. Much of this information is sent by email, and documents are rarely password-protected. Virtual datarooms also don’t always use a two-step authentication. So the acquisition process itself is fraught with risk,” Herrie warns.

Wake-up call
Herrie spends much of his time supporting private equity investors, whose primary concern is to identify and remove risks. Companies and their advisers are now also beginning to acknowledge the importance of cyber security. They’re already busy working on it in preparation for the GDPR, and for many the insight this has given them in their data has been a real wake-up call. In 2017 alone, more than 10,000 data leaks were reported to the Dutch Data Protection Authority, an increase of 70% on the previous year (5,849). “Cyber crime is too big an issue to ignore. A properly implemented cyber survey can prevent a huge number of problems from arising and save you a great deal of money,” Herrie concludes.