IT Compliance Considerations for M&A Stakeholders

When it comes to M&A, IT non-compliance on the part of the seller can risk collapsing a deal, especially now when consumer data and privacy are invaluable to both customers and businesses. In a recent ACG webinar, IT compliance specialists from DHG Private Equity shared their thoughts on how companies from every sector and the brokers in between should approach IT compliance when it comes to mergers and acquisitions. The health of a company’s IT environment and the safeguards they have in place are vital considerations as buyers assess targets and as companies enter the M&A marketplace in the digital era. The most salient takeaway was although data and privacy compliance are not optional, the decision to regularly audit the IT environment and safeguard consumer privacy will better prepare a company for future investments and mitigate the ballooning costs of cybercrime.

Getting to the why of IT compliance involves taking an honest look at the ways in which companies collect data and the threat landscape that exists, no matter what sector they operate in. Companies can collect data on their customers both passively and actively. The active data collectors are the ones that jump to the forefront when we think of consumer privacy. A life sciences business that manages sensitive medical records may be a more obvious compliance risk than the local grocery store chain that employs a third-party chip card reader. No matter how they appear externally, both companies are targets for data breaches that can cost millions in regulatory fines, remediation costs, and damaged customer trust. A 2018 study by IBM found that the average cost of a data breach was $3.86 million, with each breached record tallying $242 on average. These costs will only increase: companies of every size and belonging to every sector are at risk and should take active steps to audit their IT environment and protect customer data.

From the perspective of brokers and sellers, IT non-compliance can slow a deal in due diligence or halt it altogether. Buyers will likely choose not to acquire a target that would need a compliance framework built from the ground up or that has irregular compliance reporting. These irregularities put the potential buyer’s reputation at risk and can derail a deal if not addressed. Additionally, having a comprehensive and modernized IT environment can aid post-transaction IT integration between buyer and seller. Overly-complex safeguards, legacy systems, and inconsistent operating systems are just a few examples of potential M&A roadblocks companies should assess before going to market. Doing so will mitigate risk to the buyer and speed up due diligence.

Depending on which domain a company falls into, there are myriad state, federal, and institutional regulations to consider when implementing a compliance framework. Payment card information (PCI), for instance, carries its own regulatory framework that has become more pressing after recent PCI breaches of companies like Home Depot (2014), British Airways (2018), and Capital One (2019). HITRUST is a compliance framework for medical and life science companies that deal with protected health information. It establishes a more stringent and involved framework for the electronic transmission of heath information than HIPAA, which has historically been the leader of medical data compliance. When it comes to consumer data and privacy, GDPR (EU) and CCPA (California) are two regional regulations that have global consequences for data security and consumer rights. Buyers are unlikely to even consider a target that is not GDPR or CCPA compliant. The list of IT regulations continues to grow proportionate to the number of cyberthreats and demands of customers to better understand how their data is being used.

The role of both bankers and companies who seek to make long term investments is to understand how they collect data about their customers and what they can do to comply with an ever-growing set of regulations. In doing so, companies will protect against ballooning cybercrime costs while best positioning themselves to potential buyers.