Deal breaker

Life Sciences M&A: A perfect storm for cyber crime

Life sciences is among the most threatened industries that needs to step up to the growing challenge of cyber-crime. This is an industry built on innovation that has all the characteristics to make it highly attractive for cyber attackers: high revenues, extensive spend on R&D and operations, highly sensitive intellectual property, trade secrets, and an almost total reliance on the underpinning technology to run the business. Add to this that life sciences is also one of the most active industries in M&A – a unique time when the most sensitive information assets on both sides of a transaction may be more exposed – and you have the perfect storm for cyber-crime.

Impact of cyber-crime on M&A

There are a number of consequences that cyber and data breaches will have on an organisation, with subsequent implications on M&A and the potential destruction of post-deal benefits. Examples outlined include:

Mitigating cyber risk

While cyber risk can’t be fully eliminated, it can be better understood and managed by taking appropriate actions before and during the M&A lifecycle.

• Before a deal - a seller will typically focus on achieving the best possible price for the business. One course of action to consider would be to assess and, where necessary, improve its security capability. The key is to focus efforts on identifying and protecting the most critical information assets, which can be achieved by embedding good cyber behaviours while improving capabilities to detect and respond to breaches in a way that minimises business impact.
• Due diligence phase – as a seller will be sharing information that underpins the potential value of the transaction, it’s crucial to minimise risk through enhanced data security related governance, procedures, and monitoring so that any potential suspect actions can be spotted and addressed quickly. The buyer is focused on due diligence of the target during this phase, covering a number of areas of the business including commercial, finance, legal, and medical safety. There is a strong argument to add information security to these areas so that potential vulnerabilities can be identified along with an estimate of the likely investment required to remediate any gaps.
• After deal closing - the risks can vary and there are a number of areas that should be considered, including: additional IT security assessments; change management; secured mechanisms for connecting corporate IT networks and for email exchange; and the secure transfer of electronic and physical data.

Given the potential consequences of a cyber breach are so damaging, it would be prudent for senior executives to consider allocating a portion of due diligence budgets to the technology function for the purposes of cyber due diligence. Senior executives should also acknowledge that cyber mitigation is no longer a one-time investment but expect remediation activity in every deal, building this into their valuation models. By taking the appropriate steps and giving this the attention it needs, companies can manage their cyber risk effectively and plan for successful transactions.