Debate Among Dealmakers on Cyber Breach Responses

Cyber breaches are beginning to shake up M&A activity. The discovery of a data breach can sink a transaction completely — M&A data security is vital.

18 August 2014


So you’ve been hacked — what next? Besides fixing the problem, what do you say about it, to whom and when? These are serious questions that some are heatedly debating.

It appears the government is taking an ever-harder line on the issue. For instance, the Securities and Exchange Commission is pushing for more transparency from firms that have been cyber-assault victims. Last June, SEC Commissioner Luis A. Aguilar discussed breach disclosure policy to a group of financial professionals in New York City.

According to a SEC press release, he said: “I would encourage companies to go beyond the impact on the company and to also consider the impact on others. In such cases, the right thing to do is to give these victims [customers and investors] a heads-up so that they can protect themselves.”

The Data Breach: A Gift that Keeps on Giving

The SEC is now investigating multiple companies that were hacked to find out if they adequately guarded their data, according to a July 7 Bloomberg article. The SEC also wants to know if these firms informed investors about the breaches’ impacts.

Make no mistake, for Wall Street and beyond, hacking is a runaway problem. The federal government notified 3,000 businesses they’d been hacked in 2013, says a March 24 Washington Post article. “Three thousand companies is astounding,” says James A. Lewis, senior fellow and cyber-policy expert at the Center for Strategic and International Studies. “The problem is as big or bigger than we thought.”

Addressing the breach’s aftermath can be a huge issue, too.

Loose Lips — The Right Thing After a Hack?

Cyber breaches are beginning to shake up M&A activity. The discovery of a breach and the loss of crucial data or intellectual property can sink a transaction completely. Certainly, it may deflate a company’s value fast (admittedly, perhaps not the worst thing if you’re on the buy side).

This also raises another hotly debated question: How far should a company go in disclosing a hack? Hypothetically, revealing a network penetration can reveal vulnerabilities, and invite more cyber assaults. It may also lead to litigation.

So, when it comes to public disclosure, corporate attorneys, regulators, and activist investors don’t have one hymnal to sing from. Admittedly, a public company, say experts, is obliged to report a “material” event — one that could influence investors to buy or sell shares. But, as a former SEC lawyer, Thomas Sporkin, told Bloomberg: “Materiality is very open to interpretation.”

The debate about how and when to disclose a data breach will doubtless continue. Most likely, the discussion will go on until the business world fully hardens its security protocols and technologies. Unfortunately, that may take some time.