Most compliance practitioners did not focus on the pre-acquisition component of mergers and acquisition due diligence until after the release of the 2012 FCPA Resource Guide by the Justice Department and Securities and Exchange Commission. As was made clear by the FCPA Guide and the subsequent Opinion Release 14-02, however, engaging in robust pre-acquisition due diligence can go a long way toward helping a company avoid FCPA liability.
Of course, if your company merges with an entity that was violating the FCPA and continues to do so, it is no longer it who is violating the FCPA but now you.
Recent reports on cyber-security breaches, however, also demonstrate the business reasons for engaging in robust pre-acquisition due diligence from the cyber-security perspective. Businesses more fully understand the higher risks of cyber-penetration from outside; whether through third parties or through acquired entities. They are, therefore, managing these risks more robustly.
The theft of customer data is on the forefront of many companies these days, but cyber-theft can also include such information as intellectual property and software code. Loss of a company’s crown jewels can lead to a catastrophic economic loss. Some of the areas of inquiry include review of cyber-security policies and procedures, training of employees, interviews with key employees around cyber-intrusions, and other similar risks.
If there are gaps in cyber-security, it can negatively impact the financial value of the transaction. ADP Security Chief Roland Cloutier has said from his perspective that it could “kill the deal” if data was exfiltrated from a target company. Even if it does not kill a deal, a cyber-security issue can drastically lessen the value of a transaction, such as the reduced price that Verizon paid for Yahoo.
The bottom line is that pre-acquisition due diligence is becoming more and more critical, far beyond the financial perspective—from the compliance perspective to the cyber-security perspective to infinity and beyond.