An Article last week in the Pittsburgh Post-Gazette written by the law firm of Meyer, Unkovic & Scott LLP, stated what I would think is obvious, but apparently not.
78 percent of global dealmakers report that cybersecurity isn’t a part of the due diligence process before mergers and acquisitions.
And why, you ask, is that so? The answer also seems obvious to me —
90 percent of survey respondents reported that information about past breaches or cybersecurity weaknesses would reduce the sales price of an acquisition.
Alternatively, and even worse from the broker’s or seller’s standpoint, some buyers might walk away from the deal, and that would be the last thing that the seller or broker want. Since the broker is not legally required to suggest to the buyer that performing a cyber due diligence assessment and if one is performed, it might either reduce the sales price or blow up the sale, the broker is not going to suggest it. Ultimately, the buyer is left holding the bag.
From the buyer’s standpoint, requiring a cyber security due diligence audit is a smart negotiating move. If there are any serious issues then the seller should be required to fix them before the close or the buyer should walk away from the deal. If the buyer is comfortable that whatever cyber security issues are present are not fatal, then the buyer can and should negotiate a lower price.
Assuming the buyer is using a broker or lawyer – and the buyer should be – It seems to me that it borders on negligence for the buyer’s agent not to strongly recommend that a cyber due diligence be performed prior to closing.