By Bradley Wolfenden
Cyberattacks on businesses do more than violate laws and regulations. Insufficient investment into cybersecurity best practices can lead to devastating consequences to the victim company’s reputation, business continuity, and growth opportunities. One of the most vulnerable windows during which malicious actors target enterprise networks is during a merger and acquisition (M&A) process. In these cases, a successful compromise can hamper or even kill these efforts by reducing the value of the target’s assets, tarnishing its brand and ultimately derailing the acquisition as a result.
A business that is being acquired or generally exploring a sale typically desires a maximum return, and the acquirer wants to make sure its target is valued appropriately and is a sustainable asset. Traditionally however, the acquiring organizations are quick to shortcut, or overlook entirely, the cyber due diligence necessary to ensure its target comes with a sound cybersecurity posture. By 2022, Gartner reports that 60% of organizations engaging in M&A activity will consider cybersecurity posture as a critical factor in their due diligence process, up from less than 5% today. Cybersecurity risk is a growing challenge and concern for a number of reasons, and the risks for an acquirer in this environment are increasing.
Conduct an M&A Security Assessment
When acquiring a company, it’s crucial to identify any gaps in its security controls, evaluate its data protection capabilities, scope the level of cyber risk, and prioritize remediation activities accordingly. The period between a deal’s announcement and closing is of particular risk if vulnerabilities exist, given the heightened awareness and opportunity. This can raise anxiety among stakeholders—including investors, shareholders, customers, employees and suppliers—bringing further risk of disruption. Yet delays, added costs and questions about a target’s value all have consequences for the deal process.
Oftentimes, malicious actors will breach a corporate network, perform reconnaissance to gain alternate credentials or privileged access rights, and wait for a timely opportunity to strike. In this case, and unless proper due diligence is performed, the acquiring party will ultimately be faced with mitigation efforts. Moreover, if the malicious activity isn’t identified and corrected, these existing cyber vulnerabilities can be leveraged by threat actors to obtain access to the acquiring company’s larger network throughout the integration progresses. To avoid such damage, investors need awareness on cyber risks of the target so they can avoid pitfalls, model appropriately and ensure a reasonable transaction.
Below are some specific steps security and business leaders should take to assess the cybersecurity posture of an acquired company:
Once you’ve conducted a security assessment of the company being targeted for an acquisition, what do you do with all that data? Below are three steps to perform post-assessment:
What You Need to Know Before Merging IT Systems
Below are some M&A security measures an acquiring company should take before merging IT systems and networks:
If you’ve followed the M&A security best practices outlined above, you’ve put your organization in an advantageous position to execute a merger or acquisition securely and confidently. But this is not the end of the due diligence necessary for a secure merger. Below are some security considerations you should keep in mind long after an M&A transaction is completed:
Cybersecurity due diligence has become increasingly important for M&A transactions. Savvy acquirers understand the potential for significant liabilities resulting from a selling company’s failure to properly identify and handle prior data breaches or other cybersecurity incidents. Less frequently discussed is how a prior cybersecurity incident may impact the value of a selling company, such as when valuable intellectual property has been stolen or when mandatory disclosure of an incident post-acquisition results in significant reputational damage and lost business.
Similarly, a failure to comply with contractual and regulatory requirements may require a buyer to invest significant resources to bring a selling company into compliance and to mitigate privacy and cybersecurity risks.
A thorough and thoughtful due diligence investigation of the selling company’s cybersecurity and data privacy situation is critical for an acquirer to assess the risks and liabilities it may take on by making an acquisition, and whether such risks are relevant to accurately assessing the value of the target company.