Like other board members encouraged by the unexpected upturn in the economy, Owen Ryan is revisiting the prospect of strategic acquisitions. “The broader economy seems to be trending in the right direction, and we appear to have hit bottom or close to it, creating more upside M&A opportunities than downside risks,” says Ryan, chairman of the board at publicly traded company BlackLine.
The midsize provider of finance and accounting automation solutions is looking to build out its platform through what Ryan calls “logical adjacency expansion.” BlackLine made three acquisitions in the past three years and is lifted by higher-flying economic prospects to eye other deals, assuming they serve the broader needs of the office of the CFO, the focus of the company’s cloud automation and software products and services. “We’re not about to play M&A bingo, but we are looking for opportunities that matter to our customers, based on what they’re asking us to build, figure out or partner with,” says Ryan, who also serves as BlackLine’s co-CEO.
These opportunities may make a return in the second half of the year, following a first half that fared much better than economists forecasted at the beginning of 2023. Although the Federal Reserve raised interest rates in July to their highest level in 22 years (the Fed’s eleventh hike since March 2022), the tough measures appear to be working. July’s inflation rate of 3.2 percent represents a big drop from 8.3 percent the year prior. GDP shot up 2.4 percent in the second quarter of 2023, unemployment rates have remained steady, and the stock market is posting records. Notably, only 17 percent of executives now anticipate a recession.
That change of circumstances bodes well for the reignition of M&A activity, notes Phil Isom, global head of M&A at KPMG, whose company has been helping companies prep for sales when that window reopens. “With inflation much lower now and the end of rate rises in sight, we are seeing green shoots and are optimistic that dealmaking will return through the first half of 2024,” he says. “Buyers and sellers are coming to grips with the impact of the rate increases, price discovery has begun, and we are expecting a new normal in terms of the number of deals closed, certainly down from the record levels seen in 2021 but markedly over 2023. Within our own backlog, we have already seen a pickup, particularly in the privately held middle market space.”
A significant course correction will be necessary to get dealmaking back on its former track. Global M&A deal value was down 44 percent in the first five months of 2023, according to Bain & Company. A report by S&P Global Market Intelligence indicates deal volume remained lethargic through the remainder of Q2 2023.
While nobody is predicting an explosion in M&A activity in the near term, board members and M&A advisors say pent-up demand is fueling interest in acquistions and divestitures. As Mark Weinberger, board member at public companies MetLife, Johnson & Johnson and Aramco puts it, “Companies need to transform to get new talent, R&D, suppliers, technology and AI. Acquisitions typically are a quick way to do that. The problem is the ‘uncertainty tax’ that sits on dealmaking.”
He’s referring principally to intensifying regulatory oversight of M&A transactions, particularly actions by the Federal Trade Commission that make it more time-consuming to merge. The FTC has proposed changes to its pre-merger review process that would increase the average time to prepare a merger filing from 37 hours to 144 hours, costing approximately $350 million in added expenses for an estimated 7,100 filings a year. That’s just the pre-merger waiting period.
If FTC staffers request additional information for review and impose depositions and hearings upon the merging parties, months and possibly years can sail by. Microsoft’s $68.7 billion acquisition of Activision Blizzard is the poster child for regulator-induced foot-dragging. The tech giant announced a deal had been made in January 2022. Eleven months later, the FTC blocked it. In mid-July 2023, the U.S. Court of Appeals for the 9th Circuit denied the FTC’s motion to temporarily stop Microsoft from closing the transaction. At press time, the deal was still in limbo. “The efforts to identify, execute and close a deal can eat up a lot of time and money,” says Weinberger. (See “Regulatory Deal-Breakers,” p. 38)
Time is of the essence going forward. Nearly 40 percent of 4,410 CEOs in a January 2023 survey by PwC think their organization will be unsustainable a decade from now if they continue on their current path. “The actions taken today to transform and reinvent a business are critical to remaining viable for the future,” says John Potter, U.S. deals, markets and clients leader at the Big Four audit and advisory firm. “Acquisitions and divestitures are a big part of these transformations and reinventions.”
Drawn-out closing periods put a damper on planned transformations. To shorten the time frame, dealmakers should get their paperwork in order before an announcement is made, says Charles Ruck, global chair of the corporate department at the international law firm Latham & Watkins. “The fact that it’s taking longer to close deals argues that you need proactive due diligence to get the deals done quicker.”
“The best-prepared buyers and sellers will resume dealmaking faster when the logjam breaks in terms of price expectations,” agrees Suzanne Kumar, vice president of Bain & Company’s M&A and divestitures practice. “Work is already being done behind the scenes, giving us confidence that more deals will come to the market and the appetite will quicken on the buy side.”
Her advice to board members is to ensure the executive team continues to source deals, maintains a pipeline of attractive assets, stays on top of the status of these assets and conducts preemptive due diligence, “so when the market turns, you’re ready,” she says.
Check the tech
Preemptive due diligence also helps buyers guard against unwelcome surprises after a deal closes. Ryan ticks off a list of due diligence priorities: Do the company’s software and systems work as advertised? Have they been tested? How can you integrate the assets into your portfolio? Are they secure? How vigilant is the company in monitoring cyber risks?
Steven Horowitz, board member at public company SCWorx and privately held Careviso, says board attention needs to be given to the future state of an acquisition candidate’s IT systems. “If you’re looking to buy a company because you think it can scale pretty quickly, will its systems support the growth? Will you need to make major upgrades? I’d want to know that now, and what it might cost, as opposed to a couple years from now,” he says.
Other board members note that cyber risk is a more important due diligence consideration than it has been, given the proliferation of AI models and increasing interest among businesses in using them. A company’s use of AI models for business purposes poses risks that can be passed down to the buyer post-transaction. For example, the algorithms within the AI model may be embedded with old, inaccurate or unintentionally biased data, making the information worthless or worse, says Horowitz, since the buyer’s reputation can be affected.
Veteran board member Stephen Kasnet says such risks are elevated, given a trend among buyers to find companies “more steeped in AI” than their own organizations. “It takes a large amount of money to develop an AI product in-house, resulting in the decision to find a partner already up to speed with it,” says Kasnet, who chairs the boards at publicly traded real estate investment firms Granite Point Mortgage Trust and Two Harbors Investment. “Proactive due diligence into a candidate’s use of AI is becoming a necessity.”
Vulnerability to AI deployed by cyber thieves is a growing concern. In late July, the FBI held a call with journalists about the use of generative AI models by so-called threat actors to develop new forms of malware and polish the look of a phishing attack, often the means by which company systems are breached. The number of malware attacks across the world was nearly two-fifths higher in 2022 than the total volume in 2021, reaching an all-time high of 1,168 weekly attacks per organization in Q4 2022.
If the IT systems of an acquired business have a software vulnerability—a flaw or weakness in software that can be exploited by malware—hackers can use it to disrupt the business of the acquiring company until a ransom is paid. More than 25,000 new software vulnerabilities were discovered in 2022, the highest ever reported. In Q2 2023, the National Institute of Standards and Technology tallied another 6,991 software vulnerabilities, 1,027 categorized as critical.
Cyber risks are under increased regulatory scrutiny now that the SEC has finalized and adopted its long-awaited cybersecurity rules in late July 2023. Among the regulations is a rule requiring that a material cybersecurity breach that may affect the bottom line must be reported to the SEC within four days. “It is incumbent that boards ensure management has vetted an acquisition candidate’s current state of cyber readiness,” Horowitz says.
Eric Stickels, chairman of Community Bank System, reports his company is digging more deeply into the cybersecurity practices of acquisition targets. “Our due diligence into the cybersecurity of a potential acquisition has intensified, in the sense that it must meet the level of cybersecurity we have in our core business and supporting businesses,” he says. Community Bank System operates more than 230 banks in the Northeastern U.S. and is also composed of insurance brokerage, investment trust and wealth management operations.
An acquisition candidate’s supply chain must also must be vetted for cyber resilience, says Ellen Richstone, a director at Superior Industries, Orion Energy Systems and Cognition Therapeutics. “The external risk of a cyber attack that takes down the systems of suppliers, vendors, cloud providers and other third parties can result in a costly business disruption for the acquirer, even if the company itself is not attacked,” she explains.
The Government Accountability Office defines such attacks as a cascading cyber incident that “spills over from the initial target to economically linked firms, thereby magnifying the damage.” Potential losses globally can range from $2.8 billion to $1 trillion, the GAO states.
Watch the Exits
While top talent has always factored into M&A due diligence, the risk of highly skilled employees leaving during the deal negotiations or after the transaction close is another area of increasing concern. At a time when employees increasingly value qualities like a good cultural fit or hybrid work opportunities, companies should take steps to mitigate the risk of turnover in the wake of a deal. “Often, the people who created products and services are overlooked as critical talent,” says Vina Leite, board member at public company Jamf, a software and mobile device management company, and DocGo, a privately held mobile medical transformation services provider. “Post-acquisition, their loss is the acquirer’s loss.”
“If you’re looking to transform the business over the next 10 years to get new R&D, it’s crucial you acquire the talent behind the R&D along with the rest of the company,” agrees Weinberger.
In advising on M&A-related decisions, Leite developed a due diligence “matrix” that includes talent and culture. When an acquisition candidate surfaces as a strong possibility, she asks its senior management for a detailed synopsis of the organization’s mission, vision and values. She subsequently visits the candidate’s facilities and interviews midlevel managers “to get a good understanding of the critical talent,” Leite says. “You can’t retain top talent unless you know who they are and spend time with them.”
Stickels cites talent as the second most important factor in the board’s consideration of an acquisition, after the economics of the deal. “Cost savings can arise from staffing reductions, given overlapping and redundant positions,” he explains. “Consequently, we need to make sure we retain the ‘best and the brightest’ after the transaction closes—not just those [at] the acquired business but on the acquirer side, too.”
Eyes on supplies
Also under the microscope at many boards is a target acquisition’s supply chain, a consequence of the lingering issues emanating from recent global supply chain issues. Many companies that historically relied on low-cost China-based factories made the decision to migrate to suppliers in emerging Asian markets and the Americas.
“Extended supply chains are a thing of the past due to geopolitical pressures abroad and what it can mean economically for communities to onshore manufacturing plants,” says Ryan. “As companies continue to de-risk from China and diversify their supply chain, we’ll see a continuation of onshoring domestically and nearshoring around the world. Acquisitions and divestitures, as well as partnerships, are a means of reconfiguring the supply chain geographically.”
These reconfigurations can present potential acquisition risks. “From an operational standpoint, if you’re looking to acquire a company with a supply chain throughout Asia, the uncertain geopolitical climate has made it crucial to focus on the tiers of different suppliers,” Richstone explains. “If supply is constrained after the deal closes and demand is high, the financial repercussions can be severe. On the boards I sit on, we make sure management has conducted a thorough review of the potential technical and geopolitical issues for every supplier.”
Buyers should also conduct comprehensive reviews of a target company’s intellectual property and patents, ensuring the patents have been filed correctly and remain valid, and the candidate’s IP travels with the business to the acquirer after the close of the transaction. AI applications, for example, are an emerging IP concern in acquistions, notes Ruck. “AI ingests an enormous amount of data, mixes it with other data and then reformats it into something else—a new work that is subsequently patented. We’ve seen this happen in music and with drug formulations. But the unanswered question that goes to the value of a merger or acquisition is whether the AI has infringed on existing patent protections.”
The answer entails examining the trail of data leading up to the development of the new work. In recent years, a cottage industry of forensic data analysts has emerged to conduct such backwards reviews.
An acquired company’s products and services may also become obsolete in the foreseeable future. “Frankly, if AI can supplement or replace essential services in which the judgment of people is applied to produce value and financial results, an entire business may become obsolete,” Ruck says.
Finally, board members must be attuned to the transformations of their competitors and non-competitors, as well as those of the companies they acquire. “I often worked with CEOs who were fairly narrow in how they perceived competitive threats,” says Ryan, a former consultant who served as CEO at Deloitte Advisory. “You need to be looking at the entire horizon—the possibility that a competitor will develop something that quickly makes your products or services obsolete. Competitive intelligence is crucial.”
Balancing the need to ensure adequate M&A due diligence with the CEO’s desire for rapid transformation can be challenging. “If I think I need to fundamentally change my business within 10 years and do it in part through acquisitions and divestitures, a losing fight with the FTC that could last a year or more puts me back at square one, looking for another deal,” says Horowitz.
Or, as Ruck puts it, “The question is not, ‘Can I afford to wait two years to get a deal done?’ but rather, ‘Can I afford not to?’” The clock is always ticking.