Why M&A needs data due diligence

Let’s talk about due diligence in the Mergers & Acquisitions process. Most people know it contains financial due diligence, commercial due diligence, legal and often environmental due diligence.

However, in an increasingly digital age, where data is or can be as valuable as what the business does itself, the one facet of diligence that is lacking, at present is DATA due diligence.

The Global M&A market in 2020 was $3.7trn, and in the UK it was valued at c£350bn.

In a survey by EY, 57% of CEOs said they would consider an acquisition in the next 12 months as a means of growth. The M&A and transactions market is expected to be buoyant in the next 1-3 years. But set this against an increasingly disturbing cyber risk landscape:

• Ransomware attacks have increased by 195% on 2019 levels, and will only continue to increase;
• Cost to UK companies alone in 2020 was c£350m of malware and ransomware attacks. Globally that is estimated to be a $20bn problem;
• 80% of cyber breaches/security threats are generated through insider threats; and
• 90% of data is “dark”. What does your business know about the data it generates at present?

Data due diligence helps identify any gaps in a company’s IT, data and security packages where ransomware and malware programmes could enter the system

GDPR and data protection has recently focused the need for companies of all sizes to be ever more mindful of its customers’ data protection, and also of the opportunity to recognise the potential to their businesses of accessing, harnessing and understanding and using their customers’ data. This can enable them to anticipate sales trends, and tailor sales and product/service offerings that are more targeted and have a higher chance of stronger take up from customers.

From an M&A perspective, the benefits of data due diligence are:

• Helps identify in the early stages any gaps in a company’s IT, data and security packages where ransomware and malware programmes could enter the system – enabling them to be “plugged” before any attack;
• Avoids having to pay ransom and be held hostage, taking management time and focus in dealing with the attack, thereby not running the business;
• Avoiding an attack avoids current and future insurance issues and disputes with insurers;
• Avoids data breaches/fines/reputation issues and hits to confidence, and for publicly listed companies, a severe potential knock-on share price that would far exceed any fine/ransom or insurance issue;
• For acquisitive companies or Private Equity houses backing corporate acquisitions, it will also protect and enhance exit multiples when the business is eventually sold – less opportunity for an acquirer to price chip/put forward a disadvantageous deal structure on acquisition (such as consideration being held in an escrow account for a long period of time, and turning into quasi earn out consideration)