Digital Due Diligence: Don’t Do a Deal Without It
Merger and acquisition activity has been increasing sharply, with worldwide transaction value up 26 percent in the first half of 2018 over the same period in the preceding year. Beneath that growth dynamic has been a widening emphasis in recent M&A deals on transforming, rather than merely growing, a business.
Facing the resource squeeze that’s a feature of today’s strong economic environment, companies are looking at potential acquisitions as a way to take the business in an entirely different direction. In addition to the traditional focus on vertical or horizontal expansion or new market acquisition, businesses are using M&A to target new growth in indirectly related areas or to entirely reshape the nature of their interactions with customers or vendors.
One of the most prominent recent examples is CVS’s acquisition of Aetna, a potentially transformative deal for the healthcare sector and a template for other industries.
The disruptive possibilities of such combinations present acquirers with remarkable opportunities. But they also bring substantial added risk, most notably from digital assets that, in today’s world, are key to business success or failure.
In the face of market pressures, it’s crucial that acquirers have the most transparent view possible of the potential impact of a target’s digital holdings. From websites and social platforms to supply chains, data security, and privacy, companies face a wide range of potential trouble spots. To avert potential compliance gaps, it’s critical to understand all the issues that may relate to the linkage between the target’s value and how well it is managing its digital footprint.
The ultimate success of any merger or acquisition is gauged by the combination’s long-run value, but poor due diligence can produce immediate and significant fallout, especially where compliance factors may not have been well understood. Several examples underscore the danger.
In the run-up to Verizon’s takeover of Yahoo, which closed in June 2017, two data breaches of Yahoo’s platform compromised about 1.5 billion accounts. The resulting $350 million knockdown in the purchase price helped Verizon avoid impaired goodwill and reputation had the breaches happened after the deal closed.
On the other hand, PayPal suffered the consequences of inadequate due diligence after it acquired Canadian payments processor TIO Networks in mid-2017. PayPal suspended TIO’s operations in November of that year when it discovered a security problem on the platform. PayPal ended up recognizing a $30 million goodwill impairment because of the discovery, representing about 13 percent of the deal’s purchase valuation.
Acquiring entities need a clear understanding of the relevant range of operations and solid confirmation that the target is appropriately managing all compliance requirements. Given the prevalence of data breaches and potential financial and reputational consequences, data security and related policies and procedures are a good place to start. This is a high-risk area if the acquired entity, for example, does not have in place an appropriate breach notification and response policy.
There also are myriad industry-specific regulations and laws where compliance issues will reach into the digital realm. Insufficient or improper reporting under a host of measures, including the Gramm-Leach-Bliley Act and the Telephone Consumer Protection Act, are areas where extensive digital due diligence could discover dangerous gaps ahead of closing to avoid subsequent losses.
Proper due diligence has always been essential to business success. However, in today’s environment, added emphasis on the digital component may be a pivotal factor affecting the outcome.