M&A spurt could bring fresh wave of company data cyber crime

By:
Carol Dean
Published on:

Corporate finance activity is expected to keep on rising this year, particularly in mergers and acquisitions, but companies that engage in deal-making need to be vigilant of the threat of cyber crime around acquisitions.

Although uncertainties remain, markets are strengthening and a steady recovery in the M&A market is predicted in 2014 and beyond. Increased global stability, a calming of the eurozone crisis and US fiscal problems, and China’s strengthening commitment to becoming a market-driven economy support this theme.

These, together with a natural rebalancing of M&A activity as western markets return to favour, is expected to propel M&A as 2014 progresses.

Only this week, Irish fruit firm Fyffes and US rival Chiquita said they are to merge to create the world’s largest banana company, in an all-stock deal valued at about $1.07 billion.

However, as companies rely more on technology to enhance their operations, and digital systems often represent the lifeblood of businesses, so the threat of cyber crime rises. And corporate finance activity in particular can provide fertile ground for cyber criminals, according to industry experts.

“Sophisticated cyber criminals have been known to use malware and hacking for the purposes of corporate espionage,” says Hugh Callaghan, director, Europe, Middle East, India and Africa financial services advisory at Ernst & Young.

“As M&A activity increases, there will be more scope for cyber criminals to use the same techniques to influence the negotiation strategies and pricing of major transactions, either working directly for a party on either side of the transaction or simply as observers taking positions based on the outcomes.”

He adds: “This could be as simple as sending an email creating a convincing reason to click on a malicious link and planting malware to compromise the passwords to an email account or related documents.”

A recent report by the Institute of Chartered Accountants in England and Wales (ICAEW) – supported by a number of high-profile private and public sector institutions, including the UK Cabinet Office – said businesses, advisers, investors, regulators and other stakeholders need to make more of an effort to understand the threat to cyber security when undertaking corporate finance activity.

“This is vital in corporate finance transactions, which are a major area of economic activity and source of entrepreneurship, innovation, expansion and growth for companies,” the report states.

Put into context, accountancy firm Ernst & Young reports that general breaches of information security are rising annually by 50%.

Jane Jenkins, partner at law firm Freshfields Bruckhaus Deringer
Jane Jenkins, partner at law firm Freshfields Bruckhaus Deringer, says: “The number of [cyber] attacks taking place is happening more frequently. The UK and European governments are concerned. There is real concern as to the impact on business/economic advantage.”

Understanding, anticipating and managing cyber-security risks in corporate finance is crucial for business security and an issue to be dealt with not only by IT and technical specialists.

“I have heard – anecdotally – that this is a real issue and many companies have been exposed to cyber attacks in the context of M&A, and other highly sensitive transactions,” says Jenkins.

“A number of companies are saying that information is vulnerable to attack – this includes highly sensitive data around the identity of a target and the terms of a transaction that may be accessed by competitors.”

Whether the information relates to intellectual property (IP) data held by a company about to be acquired by a competitor, or a law firm that holds the financial data of a FTSE 100 company seeking a loan refinancing, or a company seeking finance to enter a new market, it is important those parties involved in the corporate finance activity should guard against cyber risk.

One high-profile case that highlighted the need for security among all parties in M&A negotiations was BHP Billiton’s $40 billion bid to acquire Canada-based Potash Corp of Saskatchewan Inc in 2010.

It was reported that hackers based in China attempted to derail the acquisition by hacking into a number of security systems, including lawyers, Canada’s finance ministry and the Treasury board. However, the Canadian government later scuppered BHP’s takeover bid using federal powers to declare the deal was not in the country’s interest.

Even before a company has decided to push the button on a corporate finance deal, it should limit the number of individuals brought to the table as far as is practicable.

“If you mention to companies about the threat of cyber crime, they typically think that’s not going to happen to them,” says Adrian Clark, partner at law firm Ashurst. “The [ICAEW] report highlights good corporate governance practice. It’s trying to make corporates behave in a sensible way, but not particularly cyber specific.”

If a decision is reached by a company to proceed with a deal, then ICAEW suggests one individual within each organization could be responsible for the security of information being shared. Confidentiality agreements with all parties should be undertaken, including cyber-security practice.