This article first appeared in Agenda magazine. Check out the latest issue here.
Getting that merger or acquisition done right is a difficult proposition. From choosing the right target to crunching the numbers, from due diligence to post-deal restructuring, there are already numerous pitfalls, and some devious cyberthieves out there just found a new way to make it more difficult.
We really did not need this experience to get worse, did we? It’s not as though M&A deals are stress-free. Sure, one can be exceedingly careful in selecting a deal, running endless projections using the best formulae money can buy, but there are no guarantees in this business, just ask RJ Reynolds or Time Warner.
And if that target is a Chinese company, well, that checklist of things to worry about just got longer. You are now faced with integrating a new team with a completely different culture and hoping that the payout you gave to the local shareholders was generous enough that they will not turn around and compete with your new operation.
Even if everything else goes well, you still have all those “known unknowns” to freak out about. You know what I’m talking about: tax, labor, intellectual property, environmental and other liabilities that may not have been disclosed properly during due diligence. Additionally, despite having your people go over the target’s books with a fine-tooth comb, there could still be any number of “financial irregularities” lurking out there, and that’s assuming you were given the right set of books. It’s enough to give someone insomnia.
But wait, if you think things are already bad enough, here is a new wrinkle: cyberespionage. No, really. You might think this kind of thing only belongs in a Michael Crichton novel or perhaps only happens to high-tech defense contractors that manufacture flux capacitors or sonic screwdrivers.
Think again. On November 5, the news broke that Coca-Cola had been the victim of hackers back in 2009. According to BBC News, after fooling a senior executive into clicking through a malicious link (there is indeed a sucker born every minute), hackers were able to infiltrate Coke’s systems undetected and then proceeded to access commercially sensitive information for several weeks.
This of course was not the first time a multinational corporation has been the victim of cyberespionage; this has been going on for some time now. So many listed U.S. companies have been hacked in recent years, and have then failed to disclose relevant facts to their shareholders, that the Securities and Exchange Commission (SEC) issued guidelines on the subject in 2011 that called for greater transparency. Thus far, and as the Coca-Cola incident illustrates, voluntary disclosure has not exactly caught on in board rooms in Fortune500land.
Disclosure rules and regulatory issues aside, there is something even more insidious going on here, which brings us back to M&A. The Coca-Cola files that the hackers were virtually ransacking back in 2009 related to Coke’s proposed acquisition of Huiyuan Juice Group, a record-breaking deal, in terms of size, whose approval was pending under the authority of China’s Ministry of Commerce. You may remember this as the first big foreign-related M&A deal scrutinized under China’s 2008 Anti-monopoly Law.
According to Bloomberg, three days after these files were accessed, the deal “collapsed.” The implication here is that this data was somehow used to influence the terms of the acquisition, although since the Ministry of Commerce ultimately rejected it, apparently that strategy did not work out so well.
However, we now have a track record to look at that includes several M&A deals involving Chinese companies and incidents of hacking. Bloomberg cites several recent deals involving foreign companies, such as BG Group, ArcelorMittal and Chesapeake Energy. As usual, no one knows who was responsible for the hacking, although IP addresses can be traced to Mainland China, and some experts believe that “state-backed hackers” are the culprits.
Hackers are apparently no longer content making mischief or going on fishing expeditions, hoping to find something interesting or profitable. No, now we are talking about targeted, timely attacks that may very well be commissioned by parties to an M&A deal. Is this simply hard-knuckled competition? Evidence of China’s aggressive industrial policy? No one knows for sure, but we can say with certainty that the security environment surrounding M&A deals needs to be ratcheted up a few notches.
Unfortunately, corporations will not solve this problem by simply stiffening their own internal defenses. Hackers targeting M&As and other sensitive deals apparently know their way around a corporate transaction and have gone after the networks of law and accounting firms, investment banks, and consultancies. Years ago, when one of my responsibilities was oversight of my law firm’s IT department, I used to be solicited by cybersecurity firms who warned of just this sort of hacking. Back then, we figured “That won’t happen to us.” These days, that is a naïve statement.
Consider yourself warned.