Overview - AWS Prescriptive Guidance



In 2011, the U.S. Securities and Exchange Commission (SEC) published guidance regarding disclosure obligations relating to cybersecurity risks and cyber incidents, in addition to anti-fraud and fair deal requirements. For the past decade, regulators have been blocking acquisitions or divestitures that are a compliance liability. The global market has witnessed mergers that inherited unknown security risks and non-regulatory compliance from the acquired company. With the unforeseen global changes during 2020, experts expect a higher number of divestitures.

Corporate executives are aware of the personal accountability and the board of directors’ fiduciary responsibility for cybersecurity and regulatory risks, and the monitoring and mitigating activities needed. The SEC and courts can sanction mergers and acquisitions (M&A) deals even if penalties to settle securities fraud charges weren’t paid on time, and privacy class action or securities lawsuits brought by shareholders weren’t settled. To validate the importance of cybersecurity in business valuation, Donnelly Financial Solutions performed a survey in 2017 and found the following:

  • 40 percent of investors walked away from a deal because of cybersecurity issues.

  • 80 percent of respondents say that they have uncovered data security breaches in 26-75 percent of M&A targets.

  • 60 percent are concerned about the potential intellectual property theft of the company that is being acquired.

Best practices

Companies that manage their overall risks support compliance throughout their business operations and functions. It is easier to divest a business or acquire a new one when there is a high level of maturity in control implementations—policies are established, procedures are implemented, teams are trained, and tools that ensure automation, monitoring, and reporting are used. To manage your cybersecurity and regulatory risks, follow these best practices:

  • Operate with a regulatory framework and risk model in mind throughout the acquisitions or divestiture lifecycle; design a playbook to use.

  • Align with SEC and regulatory guidance and industry best practices. This is critical when the divested or acquired business has special requirements.

  • Leverage the cross-functional teams in AWS that have industry specialty and transactional experience.

Transforming due diligence to value

The purpose of the AWS cross-functional M&A Value Realization Office is to help customers transform the M&A and divestiture process from a due diligence process to an efficient value realization by leveraging AWS subject matter expertise throughout the M&A lifecycle. The advantage that AWS has is in the visibility it provides to customers and the metadata it maintains of customers' technical inventory.