The brand dedicated to the audit of digital assets, Vaultinum, has identified the possible vulnerabilities that affect the mergers and acquisitions (M&A) transactions and its solution. The number of mergers and acquisitions in Spain increased by 22% through September, according to TTR, and the technology sector is experiencing strong growth worldwide. This has significant consequences in terms of the potential risks posed for both the acquirer and the target company.
For example, data breaches during M&A processes have become sadly famous over the last few years, with more than 30% of executives surveyed by IBM reporting data breaches associated with M&A activity during the integration period. These gaps can be significantly reduced with a proper software audit performed prior to M&A, with the right vendor.
It is already common practice to apply the financial Due Diligence, evaluating that the asset is financially scalable, among other factors. Yet many companies continue to fail to carefully review software source code during their due diligence efforts. This is problematic, as it means that investors blindly enter an investment, due to the potential technological risks associated with source code, such as cybersecurity risks and open source licenses. Below is a list of the main risks that companies could face.
1 – Cyber threats
M&A deals are fertile ground for cybercriminals, offering short-term and long-term opportunities. In the short term, with business operations in transition, data is more vulnerable and at greater risk of attack. In the long term, M&A deals are an excellent opportunity to infiltrate the networks of the merged or acquired company.
Surprisingly, more than 50% of companies participating in the IBM study wait for due diligence to be completed before conducting any technology assessment of M&A transactions. The cyberthreats these deals face highlight the importance of conducting software due diligence in the pre-acquisition phase to reveal vulnerabilities.
2 – Data leaks and vulnerabilities
Acquiring or merging with a secondary company that has hidden data vulnerabilities can affect the primary company’s business operations, investor relations, and reputation. The most well-known example of this occurred in 2017, when Verizon revealed a data breach which occurred on Yahoo!
During the merger negotiations, it was revealed that Yahoo! had suffered a data breach during which a hacker stole the personal data of at least 500 million users, followed by a second data breach in which 1 billion accounts were compromised and personal information and login credentials were stolen of users session. In this case, Verizon decided to go ahead with the deal, but it was not without consequences. The purchase price was reduced by $350 million, and Verizon agreed to share legal responsibility for these data breaches. Furthermore, if this data breach had not been revealed during negotiations, Verizon could have overpaid for Yahoo!, in addition to suffering long-term legal and reputational damage.
Instead, both companies understood and assumed their responsibilities before reaching an agreement. Cybersecurity breaches indeed pose several risks to the business. Among them:
- a ransom demand
- A business interruption
- The theft of data and especially personal data that puts the company at risk in relation to compliance with the General Data Protection Regulation (GDPR).
In all three cases there are financial and reputational consequences associated with cybersecurity breaches, but in the third case, if the CEO of the company does not inform the national authorities about the theft of personal data and has not taken adequate measures to protect the organization against cybercrime, you may be asked to pay a fine and are legally liable, facing the risk of going to court. What technology due diligence does is to identify if a company has the appropriate measures to protect themselves, highlighting the risks or weaknesses of digital assets.
3 – OSS risks
For any M&A activity where the target company’s software is a major asset of the operation, the problems don’t end with hidden data vulnerabilities. Today, software developers often rely on public code repositories available on websites like GitHub or Stack Exchange, since the open source software (OSS) it has a number of significant benefits, most notably that it appears to be free at the point of use. However, they may not take into account the fact that OSS licenses are often offered subject to conditional restrictions.
By using OSS to create derivative products or link source code to OSS, developers are subject to these conditional restrictions, which may include publishing all or part of the code or paying a fee for its use. After the acquirer and the target company become a single entity, either through merger or acquisition, the acquirer becomes responsible for the target company’s prior use of the OSS, as well as the conditions relating to Your license.
The legal and financial costs of not conducting a full due diligence of the software are clear in this case: if the acquirers conduct a thorough due diligence in the pre-acquisition phase and discover any OSS embedded in the target company’s software, they can abandon the acquisition. agreement completely or, at a minimum, reduce its value and/or its conditions.
So carry out a due diligence A comprehensive review is essential during the pre-acquisition phase, to avoid the aforementioned issues associated with data breaches and software licensing. Current advances in technology artificial intelligence (AI) They allow these audits to be exhaustive, analyzing each line of code to identify potential software and data vulnerability issues. Vaultinum’s methods remove the subjectivity of a manual audit by an individual, which can always be weakened by human error. This approach protects the acquirer’s reputation, ensures business continuity, and avoids any potential legal liability for past target vulnerabilities.
