Due diligence disrupted
The fast-changing environment that businesses are operating in today is putting new pressures on pre-transaction diligence.
The threat of digital disruption and the risks it creates is one of the biggest challenges facing C-suite leaders across industries. Companies that are slow to adapt their business models are being left behind, while digitally savvy firms capitalize on growth opportunities – as the so-called FAANGs (Facebook, Amazon, Apple, Netflix and Google) have illustrated (see Figure 1).
Figure 1. FAANG stocks’ contribution to the S&P 500 1H 2018 total return
Every deal is a tech deal: consequences for cyber and intellectual property risk
In a transaction context, this disruption is throwing up major considerations for acquirers when evaluating target companies, including their future growth potential and the operational risks they will be subject to.
“There’s an increasing view that every deal we do now is a technology deal, regardless of sector,” says Shaun Mercer, Managing Director, The Carlyle Group. “There are differing degrees, but most deals face some impact from the pace of technological change – this particularly comes to bear on cyber and intellectual property due diligence.”
A recent report from the European Union Agency for Network and Information Security (ENISA) identified a 28% increase in the number of customer records breached within European organisations in the first half of 2018. And in Q2 2018, three European countries featured in the top-four source countries for web-based attacks (see figure 2).
Figure 2. Europe is a global hotspot for web-based attacks
“We're facing a mounting cyber threat globally – every week we’re seeing new disasters hit businesses – and yet I’d estimate that less than 10% of deals actually include any specialist cyber due diligence,” says Ian McCaw, Head of Cyber M&A for EMEA at Aon.
For many acquirers, it is still standard practice to include cyber due diligence as a sub-component of IT due diligence, which focuses on auditing areas such as traditional IT infrastructure, data centres and IT governance.
Some first-movers have recognised that this approach will no longer suffice. “We see an increasing requirement for specialist cyber due diligence. Employing ethical hackers to do basic penetration testing is one thing, but the human factor is the biggest danger,” says Mike Biddulph, Partner at August Equity. “It’s the individual who doesn’t know the protocols and sets off a chain of events – leading to potentially a cataclysmic loss – that’s an area that requires increasing focus.”
Meanwhile, at Bureau Veritas, Ségolène de Rose, VP M&A, says that not only cybersecurity, but also the General Data Protection Regulation (GDPR), are now requiring heightened focus during pre-transaction diligence. “We’re a European company but we acquire worldwide, so, when we buy a firm, we need to pay close attention to ensure they have all of the systems and processes required to comply with GDPR whenever relevant.”
Failure to address cyber risk in a holistic way can both erode deal value and result in missed opportunities (see “Assessing cyber risk through a value lens”). And we can increasingly expect revelation of cyber breaches to be a deal-breaker. “If a company has recently suffered a catastrophic data loss, subject to fines and enforcement from various authorities, I could imagine that being something that would crater a deal,” says Biddulph.
Where cyber risk can erode deal value
A lack of cyber due diligence can erode deal value, since buyers that overlook cyber risk in target companies could be overpaying significantly. Where are the sources of value erosion?
Where there has been a systems breach or compromise resulting in the loss of customer data or intellectual property (IP), potentially having been sold on to third parties
Where a target company has fundamentally failed to address cybersecurity, meaning that significant capital and, more than likely, operational expenditure (in terms of recruiting new expertise) will be needed.
Remedial actions that need to be implemented, such as misconfigured websites, incorrect certificates or lack of protection on email or web servers. These are usually inexpensive to fix, but if overlooked could cause critical exposures that open the door to hackers.
Where cyber due diligence will add value
Done right, cyber due diligence can help to ensure the true value of a target company is preserved and that the costs of addressing any deficiencies are borne by the seller, not the buyer. How can this be achieved?
Agree cyber fixes pre-transaction
Identify the cyber security issues you want to be addressed by the seller as part of the deal terms, setting parameters such as resolving any issues within the first 100 days
Translate technical exposure into financial exposure
Understanding cyber vulnerabilities is one thing, but quantifying the financial risks they pose is what C-suite leaders will really be interested in. This means determining the financial risks associated with different cyber threat scenarios, such as a denial-of-service attack, the loss of customer data, or the company’s billing system going down. Armed with this insight, dealmakers can ensure that they have in place a financial model for the transaction that accurately represents value in light of the relevant risks.
Digital disruption is also a central factor in driving the shift in business value from the tangible to the intangible (see Figure 3). This transition continues to increase demands on intellectual property (IP) due diligence.
Figure 3: Ongoing shift to intangible value intensifies the focus on IP due diligence
As businesses seek to accelerate their innovation cycles to get ahead of disruption, the number of patents being generated is growing; patent applications at the European Patent Office (EPO), for example, increased by 11% between 2008 and 2017.
The associated risks are substantial, as failure to adequately protect IP or infringing on the IP rights of a third party can lead to financial losses, whether through litigation damages, legal costs or indirect costs such as hits to share price. For instance, non-practising entity (NPE)-related litigation averaged 19% annual growth in Europe between 2007 and 2017. The cases are time-consuming as well as costly for businesses; in Germany, for example, the average duration of IP litigation is 50 months.
All of this underlines the critical importance of getting IP due diligence right; but this is not without its challenges. Romain Londinsky, VP Mergers & Acquisitions at Schneider Electric, points to difficulties in obtaining the requisite access in cases where significant IP is related to a target company’s technology. “If you want to purchase a company that has developed some specific software, it’s increasingly important to dig into the detail to ensure they're not using third-party source code,” he says. “You need access to ascertain its value, but the seller may well push back and refuse to grant this.”
Unlocking value: finding commercial opportunity in IP diligence
Today’s IP due diligence needs to be more extensive than ever before, establishing a clear view of risks to company IP, an accurate assessment of its valuation and of the risk landscape, and an understanding of how current IP aligns with future corporate strategy.
It should not just be a tool with which to assess and mitigate risk; there may be commercial opportunities to exploit through IP due diligence, too. But capturing this requires taking a forward-looking view.
One example is in mapping a target company’s current IP strategy against its long-term direction, and those of its competitors. This can help acquirers to identify any non-critical patents whose maintenance may no longer be required. At the same time, it could shed light on opportunities to licence non-critical patents to third parties and generate new income streams.
As intangible assets become the main store of business value, another area to which dealmakers may turn their attention is the use of IP as collateral to open up new financing opportunities. To take advantage of this, companies will need a strong understanding of the longevity of the innovations protected by their IP assets. They can then explore new opportunities to obtain additional leverage and potentially cheaper funding.
Human capital evolves: The gig economy and cultural change
The primary focus of human capital due diligence has tended to be on retirement and benefits plans, which is understandable given the immediate financial risk they represent.
As Ségolène de Rose at Bureau Veritas points out, these risks can often be deal-breakers. “We’ve pulled out of transactions simply because the financial burden of the pension schemes was too high. Circumstances meant we were unable to consider transferring the risk onto insurers and so we simply had to walk away,” she says.
While these issues remain central, the increasing dominance of knowledge-based industries in many European countries, combined with the emergence of new business models and ways of working, is throwing up fresh considerations for human capital due diligence, too.
The so-called ‘gig economy’, where workers tend towards temporary contracts and freelance engagements, is on the rise across Europe. A report from the Association of Independent Professionals and the Self-Employed (IPSE) found that the number of freelancers in the European Union doubled between 2000 and 2014, far outpacing the growth of any other relevant segmentation of the labour market.
“The rise of atypical workers creates complexity for due diligence, as it can be unclear how you classify workers and what the relationship is between the employee and the company,” says Scott Hopkins, Partner and Co-Head of UK M&A at Skadden, Arps, Slate, Meagher & Flom. “We’ve had instances working with large companies with significant numbers of independent contractors and agency workers, and the documentation isn't definitive, it’s not clear whether they're correctly classified in terms of their employment status. The only way you could really cut through it was to sit down with management and have a very detailed discussion to understand the categorisation.”
The risks are not restricted to categorising employees correctly for tax and compliance purposes, however. While it can be challenging to quantify, dealmakers will need to be forward-thinking in ensuring that target companies are evolving their practices to avoid the risk of talent drain. “Human capital due diligence needs to go far beyond the standard pension and benefits aspects. Ensuring that you have a talent and reward culture that is in line with sector, geographic and contemporary social expectations is critical to future-proofing human capital strategy,” says Alistair Lester, CEO of Aon’s M&A and Transaction Solutions in EMEA.
Piotr Bednarczuk, Senior Partner and Head of Strategic Advisory for Aon EMEA, adds that future-proofing human capital necessitates more in-depth due diligence. “Since most deals today are in some way “tech deals”, the identification and retention of the most valuable talent through the transaction process is increasingly important for success,” he says. “Companies need to apply more data-driven insights to go deeper in the due diligence process, going beyond the natural focus on executives to ensure talent strategy is properly aligned with commercial objectives right across the business.”
1 ENISA Threat Landscape Report 2018, European Union Agency for Network and Information Security (ENISA), January 2019
2 NPE Litigation in the European Union, Darts-ip, February 2018
3 Understanding Independent Professionals in the EU, 2015, The Association of Independent Professionals and the Self-Employed, June 2016
Unlocking deal value
This series of articles sheds new light on some of the untapped opportunities in the transaction process. To unlock this value, dealmakers should challenge themselves to see where they might do things differently:
Can you extract more value from intangible assets?
Seek out all the insight you can on intangible assets. Intellectual property in the broadest sense offers huge value opportunities beyond those traditionally understood. Converting intangible assets to tangible value is increasingly possible.