Uneasy lie the heads of those who sit on corporate boards. And their anxiety is rising with every CEO who decides their company can boost profits faster through mergers and acquisition than through organic growth.
Ensuring effective due diligence on targets—not to mention your company’s own practices—has always been critical in M&A. But just as risks are rapidly evolving on all board fronts, they’re transforming the takeover game, too. And leading the pack of concerns directors must confront when evaluating targets and managing information is a new, ubiquitous duo: bribery and corruption, and cybersecurity.
Let’s start with the cybersecurity.
“The problem has been around a long time,” says Adam Kardash, Toronto-based lead, privacy and data management practice at Osler Hoskin & Harcourt LLP. “But it has only been in the last two years or so that executives and board members have come to fully appreciate the importance of data management security during M&A negotiations.”
Blame the high profile, high-cost corporate hacks and cyber attacks in recent years for raising awareness. By now, with the average cost of a data breach currently pegged at US$3.8 million, companies and boards should know enough to control and protect data the same way they handle financial assets. But not everyone does.
Where this matters most is if you’re buying a business far-flung or large enough that it might carry on in some standalone fashion with bad practices intact; or, if it’s one that dealt heavily with customers, cus- tomer data and other third parties, where such data might have been previously compromised and still represents a present-day privacy or security risk.
According to Kardash, when buyers wish to determine if the target firm has a robust data security system in place, the process starts engaging subject-matter experts, i.e. IT professionals, to review the seller’s relevant cybersecurity hardware and protocols. Then lawyers and accountants can start conducting more conventional due diligence inquiries to validate that the proper warranties, covenants and contracts are in place.
This may require an independent forensic report on the status of the target’s most strategic data. Today, the most crucial data relates to consumer- and client-facing transactions held by retail, financial services and healthcare firms. Less affected are manufacturers and resource companies.
Kardash claims that finding shortcomings in the acquiree’s cybersecurity system will not necessarily kill the deal. However, identifying the gaps and calculating the cost of fixing them may affect the purchase price.
ENSURING THAT THE seller has an effective anti-corruption protocol in place offers up its own set of due diligence challenges. The primary motivation here is the increased emphasis and vigilance with which law enforcement and regulators are going after bribery and corruption. If your company unwittingly buys into a bad actor, the repercussions could be, at minimum, costly; and at worst, damage the acquirer’s entire business and shareholder base.
In Canada, increased scrutiny and exposure in this area is linked mainly to changes to the Corruption of Foreign Public Officials Act (in 2013) and Public Works Canada’s integrity rules (in 2014). Stateside, the Department of Justice and Securities & Exchange Commission have been even more aggressive in prosecuting that country’s Foreign Corrupt Practices Act, for an even longer period.
For boards and management, M&A risk assessment analysis should start with the flagging and examining of deals with a higher potential for corruption and bribery, according to Milos Barutciski, a partner and trade and competition lawyer at Bennett Jones LLP in Toronto. Such deals “include those requiring the support and approval of politicians and government officials.” Barutciski lists procurement for defence, healthcare and infrastructure as high risk. He also notes that while investigators focus on the bottom 50 countries in Transparency International’s Corruption Perceptions Index, corruption can happen anywhere, even within Canada.
Another high-risk sector is natural resources. Typically such concessions require intense involvement with government officials as they pass through several layers of permit approvals and undergo numerous environmental, labour, safety, and social justice reviews.
Barutciski urges buyers to closely examine the seller’s staff, partner and customer lists as well as relevant upstream and downstream contracts and interactions with regulators. He also cautions against making snap judgments about possible red herrings such as the seller’s use of third-party agents. “That should not be a problem, unless the agents request anonymity or want to be paid indirectly through off-shore banks,” he says.
Avoiding successor liability is key for acquiring firms. If the target firm has been involved in earlier illicit activities, the new owners are not liable for such past sins. But if the practices are not discovered or fixed after the M&A negotiations, the buyer is on the hook if regulators later find that those illegal practices persist.
Such oversights lessen the value of the acquisition through possible fines, contract disbarments from international financial institutions such as the World Bank, not to mention loss of sales and reputational damage.
Failing such bribery/corruption tests can be a deal breaker. In 2004, Lockheed Martin Corp. cancelled its US$2.2-billion deal to acquire Titan Corp. after it failed to resolve a U.S. Department of Justice bribery inquiry into charges that Titan consultants bribed officials in Saudi Arabia and Bénin to win contracts.
To allay fears that M&A due diligence results may not be bulletproof, both sides can decide to sign an indemnity that serves as a bumper guard to protect their individual interests.
Says Barutciski: “Acquirers often demand an indemnity to cover the cost of undiscovered risks in an acquisition. It can also involve payment of part of the purchase price into escrow for a period of time to cover liabilities related to problems discovered during the due diligence exercise that cannot be resolved before closing.”
He cites a case in which an earlier compliance problem arose after the deal had been signed but not closed. “The cost to fix the problem came out of the escrow account linked to the indemnity that the buyer and seller had agreed upon,” he says.
Accountants also play a role. “We focus on assessing the anti-corruption policies and practices of firms that do business directly or indirectly in jurisdictions with high corruption risks,” says Emmy Babalola, Toronto-based senior manager, Deloitte Forensic. “That includes closely examining the design and implementation of their existing anti- corruption compliance programs, as well as transaction-specific testing to identify any red flags. These may involve cash payments with minimal supporting records or without formal receipts, or expenses that are not tied to specific projects of interest.”
Throughout M&A negotiations, buyers must remain vigilant in their due diligence efforts to ensure that sellers fully disclose any corruption or cybersecurity skeletons in their corporate closets. Or as one lawyer once explained, “It’s not about the answers you get, but the questions you ask.”