The Cyber Short
by Jeff Welgan, Executive Director, CyberVista
Abbott Laboratories (ABT), a global manufacturer of healthcare product, announced the acquisition of St. Jude Medical (STJ) in April 2016. The $25 billion deal is now in peril after a recently-released cybersecurity report alleged that STJ’s pacemakers and defibrillators – part of a category that represents 50% of STJ’s revenues – were vulnerable to wireless cyberattack by hackers, jeopardizing the safety of thousands of device recipients.
The author of the security report, MedSec Holdings, fed their findings to Muddy Waters Research, an investment research firm that subsequently shorted STJ stock.
This arrangement financially benefited Muddy Waters and Medsec when the damaging report was made public and the STJ’s stock price dropped more than 10%. As a result of the report, more shares of STJ were traded on the date of the cybersecurity report release than on the day the acquisition was announced in April. Muddy Waters and other short-sellers stand to profit even more if the deal falls through because of these cybersecurity lapse disclosures.
Public scrutiny around acquisitions has heightened for both companies involved in a deal. Senior leadership, including the Board of Directors, must ensure that cybersecurity due diligence is conducted as faithfully as any other diligence area. In a 2016 NYSE Governance survey, three-quarters of respondents said that a high profile data breach at an acquisition target would have serious implications on a pending acquisition. Moreover, more than half of the respondents said that a high profile cyber breach would diminish an acquisition target’s value.
Cybersecurity risk can be viewed and managed as a risk amplifier of other categories like financial, operational and strategic risk. Though cybersecurity issues sometimes surface during the early diligence phase, it is more often the case that issues don’t become apparent until after the deal closes – during the integration phase – leading to integration delays, cost overruns, and, worse case, a breach.
While this is not the first time that cybersecurity issues have negatively affected stock prices (i.e. Target, Sony), this may be the first public case where cybersecurity disclosures – responsible or otherwise – were tactically used to affect interim company value and potentially derail an acquisition deal. Rather than disclosing the alleged vulnerabilities with the medical devices to the manufacturer, or even to the FDA or other regulators, it seems that MedSec disclosed the vulnerabilities to Muddy Waters with financial goals in mind. Though this seems to be the first such public case of engineering profits from cyber issues affecting stock price, it won’t be the last.
Cybersecurity is perceived as complex and critical, and so will be a lasting and prime tool for short sellers.
It is difficult to point to what, if anything, went wrong in the cyber diligence between ABT and STJ given the still-pending nature of the transaction. However, a CyberVista analysis of the merger agreement documents does not show any references to cybersecurity as a diligence condition or as a material breach trigger for the acquisition.
When entering any M&A deal, the process of cybersecurity due diligence should start early in the negotiation phase. With cyber due diligence, there are a multitude of considerations to take into account to avoid the many wrenches that can be thrown into acquisition plans. Below are the top five cyber considerations during an acquisition:
1. Are there any indications that the acquisition is currently breached or has previously been breached?
Current breaches can be a worse case scenario for the buyer as they will have to deal with any potentially consequences that may result from the incident.
Previous breaches also provide an indication of areas of vulnerability for the acquisition and what they have done since to improve their resiliency.
2. What is the overall cybersecurity maturity of the acquisition?
Cybersecurity equals cyber maturity. Be wary of acquisitions that have lackluster cybersecurity policies, procedures, organization and reporting structure, and cybersecurity awareness training.
3. Has the organization conducted its own cybersecurity audit? When? By whom? What were the results?
It’s important that all organizations conduct regular cybersecurity audits, and it should be no different for the acquisition. As part of your negotiations, ensure that the acquisition has a cybersecurity risk assessment conducted by an independent and reputable third party.
4. What types of devices, systems, and data does the acquisition have that may be at risk?
Keep in mind that businesses are part of interconnected operating environments. It’s important to identify the acquisition’s critical assets, as well as the potential implications should they become compromised.
This consideration is the one ABT may have passed over. Had they discovered the medical device risk, they could have built in provisions in the merger agreement to address it.
5. How are cybersecurity due diligence efforts being documented?
Ensure that all due diligence efforts, for both the buyer and the acquisition, are being tracked, documented, and stored. Going through a formalized documentation process will reduce the chances that cyber issues are overlooked. It will also provide evidence of good faith and care during any unforeseen circumstances.
Is your company in a weak position due to the magnitude of data and technologies you utilize? Do you have the literacy to ensure your company is doing the proper due diligence across the full gamut of cybersecurity risks when evaluating potential mergers or acquisitions? CyberVista’s Board and Executive programs ensure directors and executives have the tools to evaluate how cybersecurity impacts their own business posture and provide invaluable insights so they can make effective cybersecurity decisions.