15 September 2016

Practice Safe… M&A Due Diligence!

Derek Athy
Practice Safe M&A Due Diligence

Why Abbott Labs Could be the Real “Victim” of St. Jude vs. Muddy Waters/MedSec Controversy

Research exposing potential security vulnerabilities halts Wall Street trading of a Fortune 500 company? No, no, no, we’re not talking about Evil Corp, we’re talking about one of the largest medical device manufacturers in the USA, St. Jude Medical. On Aug. 25th, Carson Block, founder of research firm Muddy Waters LLC and a “renowned” short-seller, announced in a controversial report to investors that the firm was taking a short position on St. Jude Medical, temporarily plunging St. Jude stock by up to 8%, and even halting trading of St. Jude stock for a short time period.

Why, you ask? Miami-based cybersecurity company MedSec Holdings Inc., approached the firm  with news of “astounding” security flaws detected in St. Jude Medical-produced cardiac devices, which just so happen to account for ~45% of St. Jude’s revenue.

In response to the controversy, St. Jude has filed a lawsuit against both Muddy Waters LLC and MedSec Holdings Inc, saying ‘they intentionally disseminated false information about its heart devices to manipulate St. Jude stock” for profitable means. Short run-down ICYMI:

  1. Unknown Date: MedSec Holdings Inc. approached Muddy Waters with news of “astounding” security flaws detected in St. Jude Medical-produced cardiac devices, which just so happen to account for ~45% of St. Jude’s revenue
  2. August 25th 2016: Muddy Waters publishes a report proclaiming the firm’s taking of a “short position” on SJM
  3. August 25th 2016: St. Jude (STJ) stock subsequently plunged (albeit temporarily) by up to 8% and the New York Stock Exchange (NYSE) even forced a temporary halting of trading St. Jude stock
    Practice Safe M&A Due Diligence
  4. August 25th 2016: St. Jude vehemently denied the allegations, MedSec and Muddy Waters stood strong behind their findings
  5. September 7th 2016: St. Jude rebuttals with lawsuit against both Muddy Waters and MedSec Holdings

Now… we wait and see how this one plays out, but let’s talk about who this St. Jude/Muddy Waters/MedSec situation could actually affect the most, regardless of litigation outcomes.
St. Jude?
Muddy Waters?
Abbott Laboratories? …… Well, potentially.

The facts: it just so happens that Abbott Laboratories agreed in April to purchase St. Jude Medical for ~$25 Billion.

The driver behind the Acquisition decision: “St. Jude Medical’s strong positions in heart failure devices, atrial fibrillation and cardiac rhythm management complement Abbott’s leading positions in coronary intervention and transcatheter mitral repair. Together, the company will compete in nearly every area of the cardiovascular market and hold the No. 1 or 2 positions across large and high-growth cardiovascular device markets.”

…Situation at Abbott? Here’s my guess.

Practice Safe M&A Due Diligence

The media hasn’t been shy to call out Abbott’s tough luck when it comes to M&As this year, as the road ahead for a separate acquisition, Abbott/Alere, doesn’t seem like a smooth one. Quick rundown: Alere’s foreign sales practices have been called into scrutiny, and now the M&A process has turned into “an all-out brawl” as Alere filed a lawsuit on August 31st accusing Abbott of dragging their feet to close the deal in hopes it will fall through instead. And now, we have this security entanglement with Abbott/St. Jude.

Hypothetically speaking, I see 4 general scenarios playing out for Abbott in relation to the St. Jude/Muddy Waters allegations:

  1. The allegations are true, the M&A falls through entirely based on Abbott claims that St Jude can’t pass the due diligence clause.
  2. The allegations are true, and Abbott attempts to restructure/renegotiate the M&A as a result.
  3. The allegations are true, but the M&A goes through as planned and Abbott essentially suffers the projected revenue losses due to security “challenged” St. Jude devices.
  4. The allegations are false, the acquisition proceeds as planned and everyone at St. Jude & Abbott are happy (well, hopefully, in a best case scenario).

The way I look at it, scenarios 3 out of 4 scenarios cause Abbott, the acquirer, to deal with consequences ranging from additional corporate “headaches” to “critical damage/sound the alarms”; consequences an acquirer would have hoped to have detected or planned for during the M&A due diligence (buzzword alert!) process – essentially the prospecting and analysis phase that goes into determining whether or not to proceed with an M&A decision. Now, believe I have absolutely no insider information here on either the Abbott or St Jude due diligence process so this is just speculation, but I wonder if/how cybersecurity fit into the due diligence picture? Could cybersecurity have been overlooked, or at least undervalued?

Checking in with Forbes’ and Bain & Company’s due diligence advice, I see Forbes’ key due diligence activity #2 focusing around “Technology/Intellectual Property (IP)”. However, it mostly covers patenting, licensing, the extent of the technology portfolio, etc. No mention of cybersecurity here, or in any other of the 20 key due diligence process activities.

Now neither of these are the definitive guides for M&A due diligence, or provide us with any insight into the activities that surrounded the Abbott/St. Jude acquisition decision process. However, what this controversy is clearly demonstrating, is that security needs to be an integral facet of any M&A due diligence process.

To avoid being blindsided, both parties involved in any M&A need to have a full understanding of the risks and liabilities surrounding the activity – this cannot be achieved without a thorough cybersecurity risk assessment. Organizations considering M&As of any magnitude need to know what vulnerabilities exist pre-acquisition, what vulnerabilities and areas of weakness may be introduced throughout the integration and transition phases, and where the joint entity will stand in terms of security/risk maturity post-acquisition. Otherwise, be aware that the shiny new “used car” you just purchased could actually be a lemon…

Practice Safe M&A Due Diligence

Synack’s high-touch, M&A security solution can help M&A stakeholders perform a thorough security risk analysis throughout all phases of the M&A decision process – from helping organizations make more informed pre-acquisition due diligence decisions, to ongoing risk assessments post acquisition, and everything in between. Learn more.