Abbott Laboratories (ABT), a global manufacturer of healthcare product, announced the acquisition of St. Jude Medical (STJ) in April 2016. The $25 billion deal is now in peril after a recently-released cybersecurity report alleged that STJ’s pacemakers and defibrillators – part of a category that represents 50% of STJ’s revenues – were vulnerable to wireless cyberattack by hackers, jeopardizing the safety of thousands of device recipients.
The author of the security report, MedSec Holdings, fed their findings to Muddy Waters Research, an investment research firm that subsequently shorted STJ stock. This arrangement financially benefited Muddy Waters and Medsec when the damaging report was made public and the STJ’s stock price dropped more than 10%. As a result of the report, more shares of STJ were traded on the date of the cybersecurity report release than on the day the acquisition was announced in April. Muddy Waters and other short-sellers stand to profit even more if the deal falls through because of these cybersecurity lapse disclosures.
Public scrutiny around acquisitions has heightened for both companies involved in a deal. Senior leadership, including the Board of Directors, must ensure that cybersecurity due diligence is conducted as faithfully as any other diligence area. In a 2016 NYSE Governance survey, three-quarters of respondents said that a high profile data breach at an acquisition target would have serious implications on a pending acquisition. Moreover, more than half of the respondents said that a high profile cyber breach would diminish an acquisition target’s value. Cybersecurity risk can be viewed and managed as a risk amplifier of other categories like financial, operational and strategic risk. Though cybersecurity issues sometimes surface during the early diligence phase, it is more often the case that issues don’t become apparent until after the deal closes – during the integration phase – leading to integration delays, cost overruns, and, worse case, a breach.