Magazine article Risk Management

Cybersecurity Concerns in M&A Due Diligence

Magazine article Risk Management

Cybersecurity Concerns in M&A Due Diligence

Article excerpt

In April, healthcare products manufacturer Abbott Laboratories announced the acquisition of St. Jude Medical. Shortly thereafter, however, the $25 billion deal was threatened when a report alleged that St. Jude's pacemakers and defibrillators--part of a category that represents 50% of the company's revenues--were vulnerable to wireless cyberattack, jeopardizing the safety of thousands of device users. The author of the security report, MedSec Holdings, fed their findings to Muddy Waters Research, an investment research firm that subsequently shorted St. Jude stock. This arrangement financially benefited Muddy Waters and MedSec and, when the damaging report was made public, St. Jude's stock price dropped more than 10%. Muddy Waters and other short-sellers stand to profit even more if the deal falls through because of these disclosures of cybersecurity lapses.

In general, public scrutiny around acquisitions has increased for all companies involved in deals. Senior leadership, including the board of directors, must ensure that cybersecurity due diligence is conducted as faithfully as any other diligence area. In a 2016 New York Stock Exchange Governance Services survey, three-quarters of respondents said that a high-profile data breach at an acquisition target would have serious implications for a pending acquisition. Moreover, more than half said that a high-profile cyber breach would diminish an acquisition target's value.

While this is not the first time that cybersecurity issues have negatively affected stock prices, this may be the first case where cybersecurity disclosures--responsible or otherwise--were tactically used to affect interim company value and potentially derail an acquisition deal. Rather than disclose the alleged vulnerabilities of the medical devices to the manufacturer, the FDA or other regulators, it appears that MedSec disclosed the vulnerabilities to Muddy Waters with financial gains in mind. Although this may be the first such case of stock manipulation, it will not be the last. Cybersecurity is perceived as complex and critical, and therefore could be a valuable tool for short-sellers.

[ILLUSTRATION OMITTED]

Given the pending nature of the transaction, it is difficult to pinpoint what, if anything, went wrong in the cybersecurity due diligence between Abbott Laboratories and St. Jude Medical. An analysis of the merger agreement documents, however, does not show any references to cybersecurity as a diligence condition or as a material breach trigger for the acquisition. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.