Automatic Data Processing Inc. deployed a team of cybersecurity, risk management and financial-crime specialists to WorkMarket before acquiring it in January.
The ADP team combed the software maker’s technology, practices and internal policies. It also interviewed staff about monitoring for intrusions, training employees and performing other security tasks. The payroll processor also hired a cybersecurity firm to do its own evaluation.
Security problems, said ADP’s chief security officer Roland Cloutier, could kill any deal.
“If we found out data was exfiltrated, we may walk away,” he said. “We’ve looked at a lot of companies and only purchased a few. Security always plays a part.”
Companies are intensifying due diligence of acquisition targets to avoid costly cybersecurity surprises, particularly when intellectual property, such as software code or customer data drive the deal.
Scrutiny will continue as merger and acquisition activity heats up on expectations of extra cash from lower corporate tax rates. As of late February, 18 transactions valued at more than $5 billion each have been announced — up from 10 such big deals during the same period in each of 2017 and 2016, according to Dealogic.
Gaps in data protection, undiscovered breaches, regulatory violations and other holes in a company’s technology operations can threaten transactions. Such problems can also decrease the value of a deal or leave an acquirer liable for problems after a merger.
ADP investigators typically look for troublespots such as signs of an unauthorized presence on the target’s network and scant or no evidence that employees have received security training.
No significant problems surfaced at WorkMarket, but deep study of a target’s cybersecurity helps executives forecast deal costs, Mr. Cloutier said. ADP typically spends two to four months on the process.
Problems can arise even years later. FedEx Corp. moved quickly last month to secure a server that exposed data from customer driver’s licenses and passports. FedEx inherited the server when it bought e-commerce service Bongo International in 2014.
Four or five years ago, cybersecurity due diligence consisted of asking a few questions in a short phone call, said Evan Wolff, a partner at Crowell & Moring LLP.
Now data compromises can diminish the value of a transaction, he said. Suspected theft of sensitive data uncovered through due diligence “becomes a business issue,” he said.
Verizon Communications Inc. last year renegotiated an acquisition proposal with Yahoo Inc.’s board after details emerged about massive hacking incidents. Verizon would ultimately learn all three billion Yahoo accounts were hit.
As a result, Verizon lowered it’s proposed purchase price by $350 million to $4.48 billion.
The company did studies to assess potential reputational harm and future risks, said Craig Silliman, Verizon’s general counsel, speaking at a Wall Street Journal conference in December. “We said, ‘We feel like we have enough clarity that we can put parameters around the risk here and negotiate a deal that effectively compensates us for the risk.’”
Home Depot Inc. performed cyberrisk due diligence before buying retailer The Company Store and tool-rental firm Compact Power Equipment Inc. in 2017, said finance chief Carol Tomé.
“Our plans are basically to integrate these companies,” Ms. Tomé said. Their operations will be moved to Home Depot’s platforms and networks, she said. “So we’re closing down any little holes that the threat actor could take advantage of.”
The company has assessed cyberrisk on potential deals for the past decade, according to a spokesman. Getting breached in 2014 elevated cybersecurity concerns among senior leaders at Home Depot, Ms. Tomé said. Hackers stole email and payment-card information of up to 56 million customers.
Home Depot’s due diligence playbook includes penetration testing, Ms. Tomé said. “We have a heightened sense of awareness in this area and our due diligence is exhaustive.”
Waste Management Inc. doesn’t dedicate a team to cyber issues during the diligence phase. The company instead focuses on the later stage of moving data from the target’s systems into its own, said CFO Devina Rankin.
The company spends $100 million to $200 million a year on garbage and recycling haulers. Legal, finance and digital groups move data about employees at acquired companies, usually within a week of closing the transaction. Customer data is absorbed within one month, she said.
Acquirers sometimes find costly cybersecurity issues embedded in contracts that a target signed with its own customers, said Buck De Wolf, general counsel for General Electric Co.’s global research group. GE has purchased at least 14 companies since 2015, including several small software providers, according to its annual reports.
Small companies hungry for sales might make onerous promises about how they will help and what they will pay for in a data breach related to their products, Mr. De Wolf said, speaking at security conference in December. It can be “a Trojan Horse” when taking on a new company, he said. Reviewing contracts helps GE avoid these problems, he said.