M&A spurt could bring fresh wave of company data cyber crime
Corporate finance activity is expected to keep on rising this year, particularly in mergers and acquisitions, but companies that engage in deal-making need to be vigilant of the threat of cyber crime around acquisitions.
Although uncertainties remain, markets are strengthening and a steady recovery in the M&A market is predicted in 2014 and beyond. Increased global stability, a calming of the eurozone crisis and US fiscal problems, and China’s strengthening commitment to becoming a market-driven economy support this theme.
These, together with a natural rebalancing of M&A activity as western markets return to favour, is expected to propel M&A as 2014 progresses.
Only this week, Irish fruit firm Fyffes and US rival Chiquita said they are to merge to create the world’s largest banana company, in an all-stock deal valued at about $1.07 billion.
However, as companies rely more on technology to enhance their operations, and digital systems often represent the lifeblood of businesses, so the threat of cyber crime rises. And corporate finance activity in particular can provide fertile ground for cyber criminals, according to industry experts.
“Sophisticated cyber criminals have been known to use malware and hacking for the purposes of corporate espionage,” says Hugh Callaghan, director, Europe, Middle East, India and Africa financial services advisory at Ernst & Young.
“As M&A activity increases, there will be more scope for cyber criminals to use the same techniques to influence the negotiation strategies and pricing of major transactions, either working directly for a party on either side of the transaction or simply as observers taking positions based on the outcomes.”
He adds: “This could be as simple as sending an email creating a convincing reason to click on a malicious link and planting malware to compromise the passwords to an email account or related documents.”
A recent report by the Institute of Chartered Accountants in England and Wales (ICAEW) – supported by a number of high-profile private and public sector institutions, including the UK Cabinet Office – said businesses, advisers, investors, regulators and other stakeholders need to make more of an effort to understand the threat to cyber security when undertaking corporate finance activity.
“This is vital in corporate finance transactions, which are a major area of economic activity and source of entrepreneurship, innovation, expansion and growth for companies,” the report states.
Put into context, accountancy firm Ernst & Young reports that general breaches of information security are rising annually by 50%.
|Jane Jenkins, partner at law firm Freshfields Bruckhaus Deringer
Jane Jenkins, partner at law firm Freshfields Bruckhaus Deringer, says: “The number of [cyber] attacks taking place is happening more frequently. The UK and European governments are concerned. There is real concern as to the impact on business/economic advantage.” Understanding, anticipating and managing cyber-security risks in corporate finance is crucial for business security and an issue to be dealt with not only by IT and technical specialists.
“I have heard – anecdotally – that this is a real issue and many companies have been exposed to cyber attacks in the context of M&A, and other highly sensitive transactions,” says Jenkins.
“A number of companies are saying that information is vulnerable to attack – this includes highly sensitive data around the identity of a target and the terms of a transaction that may be accessed by competitors.”
Whether the information relates to intellectual property (IP) data held by a company about to be acquired by a competitor, or a law firm that holds the financial data of a FTSE 100 company seeking a loan refinancing, or a company seeking finance to enter a new market, it is important those parties involved in the corporate finance activity should guard against cyber risk.
One high-profile case that highlighted the need for security among all parties in M&A negotiations was BHP Billiton’s $40 billion bid to acquire Canada-based Potash Corp of Saskatchewan Inc in 2010.
It was reported that hackers based in China attempted to derail the acquisition by hacking into a number of security systems, including lawyers, Canada’s finance ministry and the Treasury board. However, the Canadian government later scuppered BHP’s takeover bid using federal powers to declare the deal was not in the country’s interest.
Even before a company has decided to push the button on a corporate finance deal, it should limit the number of individuals brought to the table as far as is practicable.
“If you mention to companies about the threat of cyber crime, they typically think that’s not going to happen to them,” says Adrian Clark, partner at law firm Ashurst. “The [ICAEW] report highlights good corporate governance practice. It’s trying to make corporates behave in a sensible way, but not particularly cyber specific.”
If a decision is reached by a company to proceed with a deal, then ICAEW suggests one individual within each organization could be responsible for the security of information being shared. Confidentiality agreements with all parties should be undertaken, including cyber-security practice.
“Ongoing monitoring of access to information can help to highlight suspicious activity at the earliest stage possible,” the report says, adding that, if practicable, companies should consider sharing information via a secure data store that is separate from the organization’s usual IT systems or mobile devices.
Parties providing corporate finance advice and support also need to ask when a company’s board last considered cyber security.
When bidders of a business undertake due diligence, this poses increased risk of information theft and interception risk.
The development of virtual data rooms to provide much of the necessary information has made this part of the process more streamlined, efficient and cost-effective, but it has brought additional risk, as much of the information is stored online and could therefore be vulnerable to attack.
“Data rooms should be adequately secure from attack,” says Freshfields’ Jenkins. “It’s important how information is locked down and exchanged, including encryption of emails. Cyber security risks should be part of due diligence.
“Some companies are very aware of security risks in integrating systems with another company. What has changed is the awareness of risk and the scale of the threat.”
Information risk might also be heightened once a transaction becomes public knowledge and funds might be dispersed that could be intercepted by parties with malicious intent.
However, data protection is also a concern away from corporate finance activity.
“Multinationals in regulated industries are now concerned about their supply chains, with suppliers having to meet acceptable security standards, so these standards are cascading down the supply chain to unregulated industries,” says Jenkins.
“To remain a supplier, a company has to comply with its customer’s requirements. There’s greater awareness of the risks.”
However, different industries do place varying levels of importance to data protection.
“There are varying degrees of cyber security in relation to business sectors,” says Jenkins. “At one end of the spectrum are defence companies, which are always highly aware of the need to protect information from attack. Indeed, they are now using their expertise as a platform for new business across other sectors.”