The Fortune 500 CEO survey in 2021 found that two-thirds of interviewed CEOs consider cybersecurity risk their greatest concern, far greater than the risks presented by political instability or climate change. They are right to be concerned, particularly in the context of mergers and acquisitions (M&A), where the process of migrating and integrating data between merging firms can make them particularly vulnerable to sophisticated cyber terrorists. (IBM, 2019). IT breaches during that process could significantly reduce the gains expected from a deal.
Furthermore, threats to successful deal completion may arise from past cybersecurity weaknesses, as highlighted in two recent cases. In 2017, Verizon cut its purchase price for Yahoo’s internet business by $350 million after Yahoo disclosed three massive data breaches compromising more than one billion customer accounts.Similarly, Marriott Hotels was fined $23.8 million for a data breach at the Starwood Hotels group two years before Marriott acquired the group. The fine was levied by the Information Commissioner’s Office (ICO) in the UK, where the breach affected seven million users. These cases exemplify how pre-merger data breaches and other cybersecurity failures can wreak havoc on deals. Like environmental liabilities, undisclosed and unidentified cybersecurity-related liabilities get transferred to the acquiring firm following the successful completion of a merger. Given that these liabilities are typically not directly observable before closing, cybersecurity risk might also result in material legal consequences. The economic and financial implications of these undisclosed liabilities might lead to the failure of an attempted merger or significant write-offs post completion.
In a new article, we investigate whether firms’ cybersecurity profile is a significant determinant of an acquirer’s decision to buy a company and the likelihood that the company will become a target. Using measures of cybersecurity risk developed in recent studies (Lattanzio and Ma, 2022, and Florackis et al., 2022), we show that firms with low cybersecurity are significantly more likely to engage in M&A. These findings are consistent with the hypothesis that the data migration process through which merged firms consolidate their data and IT systems represents a material concern that might preclude firms with high cybersecurity risk firms from doing deals. Furthermore, we show that firms with stronger cybersecurity profiles are more likely to merge, suggesting that low cybersecurity risk firms display a strong preference for avoiding high cybersecurity risk targets.
Next, we examine how the cybersecurity profiles of two merging firms affect market reaction to the merger announcement. Over the full sample period, we find no significant effects. However, we find that the market reacts positively to merger announcements involving an acquirer with a low cybersecurity-risk profile in recent years and in periods of high cybersecurity scrutiny, consistent with increased investor awareness of cybersecurity risk over time.
In terms of the M&A process, we document that attempted mergers are significantly less likely to be withdrawn when the target has low cybersecurity risk. This result is indicative of the importance of cybersecurity risk to the likelihood of deal completion. It also highlights how the due-diligence process can help in assessing corporate cybersecurity risk.
Finally, we show that the outcome of this evaluation process is reflected in the merger premium, which appears to be higher for low cybersecurity acquirers. This finding is consistent with low cybersecurity-risk acquirers being better at capturing synergies from the deal by, for instance, being better positioned to manage the challenging task of data migration and integration. Consistent with this interpretation, we document that mergers involving low cybersecurity-risk firms achieve higher post-merger operating performance and are less likely to incur goodwill write-offs over the three years following the deal completion.
Our evidence is consistent with the proposition that cybersecurity risk poses a significant threat throughout the merger process, from the likelihood of being attempted in the first place to the likelihood of being completed through the post-merger integration phase. In particular, cybersecurity is a critical risk factor affecting (1) a firm’s propensity to engage in M&A, (2) the matching process in the M&A market, (3) the likelihood of successful completion of deals, and (4) both investors’ ex-ante and ex-post pricing of deals. These novel findings have important considerations for both regulators and shareholders concerned about the potential impact of cybersecurity risk on M&A.
Lattanzio, G., Ma, Y. (2022). Corporate Innovation in the Cyber Age. Working Paper.
Florackis, C., Louca, C., Michaely, R., Weber, M. (2022). Cybersecurity Risk. The Review of Financial Studies, Forthcoming.
 For example, the excerpt from the ICO’s penalty notice against Marriott issued on October 30, 2020, states that: “During the acquisition process, Marriott states that it was only able to carry out limited due diligence on the Starwood data processing systems and databases. For the avoidance of any doubt, the Commissioner is not making any finding of infringement in respect of the period between Marriott’s acquisition of Starwood and the entry into force of the GDPR on 25 2018. Accordingly, the commissioner has not determined whether or not it was possible for Marriott to conduct due diligence during a takeover. There may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover.
This post comes to us from professors Gabriele Lattanzio at Nazarbayev University and Jérôme Taillard at Babson College. It is based on their recent article, “M&A and Cybersecurity Risk: Empirical Evidence,” available here.