Cybersecurity concerns block digital ambitions

  • Share

Digitalization is creating new business opportunities in all sectors, but cybersecurity issues and uncertainty around technology due diligence in deal processes are impacting M&A investment.

The pace of digital transformation is increasingly seeing many businesses become more like technology companies. The likes of Amazon, Uber and Airbnb have disrupted asset-heavy industries, such as retail, mobility and hotels, and delivered exponential growth. And now “traditional” businesses, such as industrial giant GE or supermarket king Walmart, are dramatically changing their business models to accommodate digital.

The potential for future growth through digitalization is vast. Technology company Cisco predicts that in five years, there will be more than 50 billion smart connected devices in the world. Meanwhile, a study by Baseline magazine revealed that a 10% increase in data accessibility would bring US$65 million in additional net income for a typical Fortune 1,000 company.

Security issues hit M&A

When it comes to enhancing digital capabilities, the majority (67%) of corporates see M&A as the most efficient way to get there, according to EY’s recent Digital Deal Economy Study, which surveyed more than 600 chief executives at non-technology companies from around the world.

However, cybersecurity and reputational risks are weighing down dealmakers seeking to buy into the digital revolution – indeed, 86% said they needed to be more prepared when it came to cybersecurity. The survey also revealed that the most significant cybersecurity risks in the transaction process are a lack of a recovery plan resulting from a breach during due diligence (26%) and understanding the target’s vulnerability to attacks (26%).

“Cybersecurity and the associated risks are some of the biggest problems facing businesses today,” says Rob Genieser, a managing partner at private equity (PE) firm ETF Partners, which focuses on investments in tech-enabled businesses and includes MWR InfoSecurity, a provider of cybersecurity for smart grids.

“When it comes to technology, there are now two parts to any deal. First, you need to find the great entrepreneurs who have developed great technologies in their businesses. Then you need to make sure that the business is able to protect its technology and its data.”

David Walters, digital and data director at PE firm NorthEdge, says any investor buying into a technology or technology-enabled business needs to be aware of the potential risks, which range from the how data is sourced and secured to whether core technology is indeed proprietary and not copied or reverse engineered.

“For many companies the way that technology enables their businesses has become as important as the core business proposition. When you are buying into this tech enablement, you need to ensure that the IP you are backing is truly innovative and properly owned and that any data and customer information is secure,” Walters says. “The tech enablement of companies has developed at a rate of knots, and that has made it tough to [perform] due diligence.”

Unfamiliar territory

The findings from the Digital Deal Economy Study indicate that executives in industries where traditionally technology has not been a crucial to core business are finding it challenging to assess technology-related risks – and this can be particularly acute when looking to perform due diligence on targets.

The survey discovered that specialized digital-related due diligence, which includes technology, intellectual property (IP) valuations, cybersecurity, social media and digital analytics, was a significant challenge for executives looking to execute a deal.

Three steps to digital success in deals

As complex as technology due diligence may seem, however, there are some basic questions executives can ask that should provide a clearer picture of a target’s digital capability and risk areas.

“Any technology due diligence should look at a company’s patents and its freedom to operate and use its technology,” Genieser says.

“The pace of innovation is rapid and people can grab information and IP away from a company. Always assess whether there are patents in place, how defensible those patents are and whether there is a compelling business model around those patents.”

Three steps to take toward digital deal success are:

  1. Check compliance

    A key aspect that bidders need to examine when performing due diligence on a target’s technology is whether it complies with key industry standards, such as the Payment Card Industry Data Security Standard (PCI) and ISO 2000.

    “The entrepreneur of a tech-enabled company is typically someone who has grown a company rapidly and developed the business organically. Sometimes that means these companies take a few shortcuts or self-certify and tick the boxes,” Walters says. “If you are buying a company that is storing huge amounts for personal data or growing its e-commerce offering, asking a simple question about whether it is compliant with the relevant industry standard can tell you a lot. If the answer is ‘yes,’ then that is good, but if there is a less clear response, you know you need to look more closely at the risks.”

  2. Check responsibility

    A company’s contingency planning in the event of a cyber hack or data breach is another area that needs investigating. “It is vital to ask who in the C-suite is responsible for that, and what the process is to ameliorate the risk if there is a breach,” Genieser says. Worryingly, EY’s Digital Deal Economy Study found that 44% of companies had a lack of clarity around accountability and leadership for digital transformation.

  3. Look on the bright side

    Digital due diligence shouldn’t focus exclusively on downside risk, but also identify areas where a company can do more to use customer information and data that it already holds. “When we are in the due diligence phase, I am looking at the upside all the time and thinking about how a business can use its data and IP to create more opportunities,” Walters says. “It is about looking at how a company collects data and then turning that into analytics that drives angles.”

    Walters cites NorthEdge’s investment in health club chain Total Fitness as an example of this. The business was already collecting member information, and by analyzing that data in a controlled way the business could calculate which members were less likely to renew their membership by calculating the number of times they used the gym.

    It could then tailor specific marketing to these members to drive a higher membership renewal rate. Total Fitness was effectively transformed from a gym chain into a data business in the health and fitness sector.

    The risks associated with digitalization may be holding back some executives in non-tech, but companies that are reticent need to overcome their concerns.

    “It is interesting to see how fast companies are changing. We think of GE as industrial company, but if you look at the direction GE is moving, it is all about software and digital,” Genieser says. “You have to be digital to succeed and the better equipped you are to understand what it means to be digital, the more successful you are likely to be.”

EY Capital Insights explores issues vital to a company’s Capital Agenda and how they raise, invest, preserve and optimize capital.

Top