Ensure your M&As drive value: Avoid information risks with information governance

Published On March 24, 2021

A common business strategy that organizations are increasingly using to enhance their value proposition is mergers and acquisitions (M&A). While this strategy can be very beneficial, information governance is a missing key component to whether an M&A results in maximum value or not.

Here’s a scenario: A North American company acquires a European company but fails to recognize that the acquired company falls under, and must adhere to, GDPR regulations when it comes to information the company collects on customers. Once the acquiring company learns this, they have a small window of time to review the acquired company’s physical and digital information, security infrastructure and make any necessary compliance changes. 

Now, had the acquiring company fully understood the privacy risks and obligations that come with being subject to GDPR -- or CCPA, Canadian PIPEDA, or other privacy regulations -- they may have been able to negotiate the financial burden into the purchase price. Had they also successfully integrated the information risk into the M&A process, this deal may have driven more value in the end. 

Assessing information risks

Before acquiring a company it’s important to understand what privacy obligations and regulations may apply to them and their information. This is where conducting an information risk assessment is key so that you can understand what obligations and risks you may be taking on once you acquire said company. 

In the example above, had the acquiring company conducted an information risk assessment prior to closing the deal, they would have been able to identify any GDPR issues. 

These issues could include:

• The loss of significant volumes of customer information as a result of not being properly obtained using GDPR consent requirements.

• Complications of having to introduce proper controls after the fact to identify relevant protected information.

• The burden of revising customer and employee policies to include GDPR requirements.

• The requirement for a Data Protection Officer.

• The requirement for a Data Protection Impact Assessment.

• The challenge of monitoring and tracking data subject requests to enforce their rights under GDPR.

And potentially more.

Integrate information risk into the M&A process

The impact information risk events have had on M&As is no secret. In 2017 one Internet company’s data breach disclosures led to a $350 million price reduction when they were acquired, for example. One hotel chain’s stock price declined 5.6% due to a security breach that occurred between 2014 and 2016. However, the breach wasn’t discovered until 2018.

These two examples highlight why formalizing an approach to understand and manage information risk throughout the M&A process is so important. 

In order to do this successfully, four key elements must be incorporated:

1. Exploration

2. Due diligence

3. Pre-close

4. Integration

A well planned and executed IG strategy that includes privacy, cybersecurity and retention is not only a sound business practice but is also central to achieving the expected value from an M&A.