During the first half of 2017, West Monroe and Mergermarket surveyed 100 senior private equity and corporate executives, all with organizations that have acquired at least one software firm over the past three years. Respondents cited various challenges to orchestrating a successful acquisition – one of the top among them being cybersecurity.
It’s been said that there are two types of companies out there – those that have been hacked and those that have been hacked and just don’t know it yet. According to Verizon’s research, more than a quarter of data breach incidents in 2016 took at least a month to discover, and one in 10 went unnoticed for at least a year.
Cybersecurity concerns weigh heavily on the minds of executives everywhere – and financial and strategic software investors are no different. These investors are gobbling up software companies at near-record rates, and the speed at which many deals move elevates the risks. Said one CEO of a US corporation who participated in our survey: “We carried out one deal in a rush. We wanted to get it done soon and didn’t focus on the software or the risks in integrating the software. Because of this, we faced a lot of risks from hackers and had to take our systems offline.”
More investors are dissatisfied with cybersecurity diligence
Rapid deals mean less time to conduct diligence. While most respondents said they are satisfied with their recent diligence experiences, far more (16 percent) expressed dissatisfaction with past experiences conducting cybersecurity due diligence than they did with diligence efforts around a target’s technology (1 percent) or operations (also 1 percent).
To see if or how perceptions have changed, we compared the results to those of a cybersecurity due diligence survey we conducted last year with a diverse group of senior corporate and private equity executives (Testing the Defenses: Cybersecurity Due Diligence in Mergers and Acquisitions). The results of our latest survey clearly show that investors are not feeling any better prepared than they were a year ago. In fact, this year’s data indicates a drop in cybersecurity due diligence preparedness, with 16% reporting they were somewhat dissatisfied with their most recent cybersecurity due diligence process. In the 2016 survey, only three percent of respondents said they were somewhat dissatisfied.
A majority, 63 percent, of respondents said they have walked away from a software deal in the past, including more than half of corporate respondents and two thirds of private equity firms. For corporate investors, cybersecurity was one of the top two reasons for abandoning a deal, along with financial/tax issues.
Top cybersecurity concerns
Respondents expressed an array of concerns about cybersecurity issues at a software target. Just over 40 percent said their top concern was the potential for complications during post-merger integration, while another 22 percent cited threats to business data as their top concern. Many investors are also concerned about the cost of correcting problems as well as frequent or recent data breaches.
The impact of reputation is also on the minds of some survey respondents, as a senior vice president for corporate development with a US-based corporation noted: “It has the power to damage our reputation and push our business towards closures, being pressurized by the lack of trust displayed by the customers in commencing future dealings with us and our software platforms.”
Compliance is also a thorny issue and the leading reason why private equity investors said they walked away from a deal. When preparing for a cross-border software deal, today’s investors face a plethora of privacy and data security regulation. In the United States, for example, there are 20 sector-specific national privacy or data security laws, as well as hundreds of laws among its states and territories – 25 in California alone.
Problems – and regrets – following close
Respondents’ concerns about the impact on post-merger integration appear to be warranted. More than half said that they have discovered a cybersecurity problem at an acquired software company after the deal was completed.
And respondents who said they regret making a past software acquisition cited cybersecurity issues as one of the two leading reasons they wish they had not carried through with the transaction, behind competition in the segment.
Making cybersecurity part of business as usual
For some, encountering and neutralizing cybersecurity issues is now an expected part of how they do business. According to the CEO of a Swedish corporation: “During the integration process we come across problems that we need to manage. Cybersecurity glitches are very common. But our team is very quick on the uptake and keeps looking for these problems. The team deals with them before they become a problem for the company.”
See more insights from Software M&A Frenzy: Searching for the Competitive Edge here.