Yair Kuznitsov, CEO and Co-Founder at anecdotes.
In life, some things are wholly unpredictable. As it turns out, the Covid-19 pandemic did not take as big a bite out of venture capital investments and mergers and acquisitions as had been feared. In fact, according to EY, “The top two years ever of venture investment have come during the pandemic.” And after a sharp downturn in the first half of 2020, M&As came roaring back in the fourth quarter. According to PwC, the number of announced deals in 2021 was “up an unprecedented 24%” globally from 2020, and 2022 should be another “supercharged year.”
With this increase, coupled with the market focus on increasing regulations, it’s a good time to consider whether due diligence processes in the areas of data privacy and information security could use an upgrade.
Not long ago, determining a target’s privacy and security status was an afterthought of due diligence. According to the American Bar Association, buyers conducted limited privacy and security due diligence, and purchase-related documents rarely discussed related risks.
The target’s privacy and security posture might be checked to make sure nothing obvious would threaten a deal. But unless a company was particularly dependent on data, privacy and security were “minor considerations for an acquirer.”
MORE FOR YOU
Increasingly, however, determining a target’s maturity in privacy and security compliance has become a critical aspect of both M&A and VC due diligence. This is due to the need to reduce the acquirer’s legal and reputational risk resulting from breaches and due to the recognition that compliance maturity in privacy and security is a business enabler.
Data: To Assess Risk From Breach Of Privacy Or Security
Government penalties, brand damage, loss of trust—these repercussions (and worse) are just some of the results of acquiring or investing in businesses without conducting adequate due diligence into privacy and security practices.
Conducting due diligence regarding data security and privacy is the obvious answer for reducing risk—but how does a buyer assess the data and security of a target? One possibility is to interview the CISO and/or data privacy officer. Handing them a 200-line questionnaire about the target’s compliance with GDPR or another applicable framework will likely yield even more comprehensive information.
If the target’s management is really on its game, IT or security may perform a gap analysis of frameworks and/or policies. These methods provide some insight, but there are limitations: The information is only as good as the data it’s based on and the truthfulness, knowledge and accuracy of the person completing the forms.
There’s an additional option along these lines: If the target is certified under ISO 27001, or audited for SOC 2, the investor can check out those documents. But that’s no substitute for due diligence. Certification under ISO 27001 reflects a management standard, plus the management’s determination of what constitutes an acceptable level of risk—and a buyer assessing the data independently might not reach the same conclusions as management. Similarly, merely having SOC 2 does not necessarily give sufficient information for a potential acquirer or investor to decide whether to proceed.
Instead, by looking at the target’s security and privacy compliance, and the data that compliance is based on, companies can rely on objective facts. Data is more reliable than reports, certificates and conversations; while those reflect a target’s answers to compliance-related questions or management’s good-faith determination of tolerable risk, these sources are one step removed from the actual data and the undeniable answers it alone can provide.
A buyer given access to a target’s compliance-related data can more accurately assess the target’s risk of security and privacy breaches, then use risk quantification methods to put a dollar value on any such risks. The buyer can then consider whether to go ahead with the deal and what contractual provisions, risk allocations and even pricing changes are necessary for the deal to proceed.
This way, before a company invests money and reputation, it knows exactly what it’s buying.
Data: Because Compliance Maturity Is A Business Enabler
The focus on due diligence is generally based on uncovering hidden risk. But when due diligence focuses on a target’s security and privacy compliance, there is a further advantage: unmatched insight into a target’s business growth potential.
Buyers want to know, based on real data, whether a target can grow. Can it stand behind promises of scaling and penetrating new markets or industries? Increasingly, a company’s compliance programs are recognized as enabling business growth. When compliance controls are embedded into every step of business processes, the company can grow and adapt to changing circumstances while maintaining security and privacy practices vital for ensuring customer trust.
In fact, according to PwC’s 2022 Global Digital Trust Insights Survey, one benefit of good data security is increased revenue. This is true to an even greater extent when security compliance is based on a continuous flow of data; data-based compliance allows a company to follow new opportunities more easily, simply because current data is ever-available.
Using data as a basis for due diligence is analogous to how an acquirer would analyze any other facet of the target. For example, to determine the health of the target’s sales pipeline, the acquirer would not just interview the director of sales, but they would want the independent, accurate data they could only get from sales pipeline management tools. Similarly, an acquirer who wants visibility into the true security and privacy posture of a target would view data provided by the target’s compliance tools for an independent assessment of the strength of the target’s security and privacy.
Due Diligence Requires Data
Data-based due diligence into a target’s data privacy and security can give a buyer or a VC investor an accurate picture of the risks—and growth potential—embedded in a target. Analyzing objective data is increasingly the better way for an acquirer to ensure that a target holds no surprises—or only good ones.