​Data Privacy and Cybersecurity Issues in Mergers & Acquisitions

By Bradley Wolfenden

Cyberattacks on businesses do more than violate laws and regulations. Insufficient investment into cybersecurity best practices can lead to devastating consequences to the victim company’s reputation, business continuity, and growth opportunities. One of the most vulnerable windows during which malicious actors target enterprise networks is during a merger and acquisition (M&A) process. In these cases, a successful compromise can hamper or even kill these efforts by reducing the value of the target’s assets, tarnishing its brand and ultimately derailing the acquisition as a result.
​

A business that is being acquired or generally exploring a sale typically desires a maximum return, and the acquirer wants to make sure its target is valued appropriately and is a sustainable asset. Traditionally however, the acquiring organizations are quick to shortcut, or overlook entirely, the cyber due diligence necessary to ensure its target comes with a sound cybersecurity posture. By 2022, Gartner reports that 60% of organizations engaging in M&A activity will consider cybersecurity posture as a critical factor in their due diligence process, up from less than 5% today. Cybersecurity risk is a growing challenge and concern for a number of reasons, and the risks for an acquirer in this environment are increasing.
 
Conduct an M&A Security Assessment
When acquiring a company, it’s crucial to identify any gaps in its security controls, evaluate its data protection capabilities, scope the level of cyber risk, and prioritize remediation activities accordingly. The period between a deal’s announcement and closing is of particular risk if vulnerabilities exist, given the heightened awareness and opportunity. This can raise anxiety among stakeholders—including investors, shareholders, customers, employees and suppliers—bringing further risk of disruption. Yet delays, added costs and questions about a target’s value all have consequences for the deal process.
 
Oftentimes, malicious actors will breach a corporate network, perform reconnaissance to gain alternate credentials or privileged access rights, and wait for a timely opportunity to strike. In this case, and unless proper due diligence is performed, the acquiring party will ultimately be faced with mitigation efforts. Moreover, if the malicious activity isn’t identified and corrected, these existing cyber vulnerabilities can be leveraged by threat actors to obtain access to the acquiring company’s larger network throughout the integration progresses. To avoid such damage, investors need awareness on cyber risks of the target so they can avoid pitfalls, model appropriately and ensure a reasonable transaction.
 
Below are some specific steps security and business leaders should take to assess the cybersecurity posture of an acquired company:

• Review common organizational policies, including the information security policy, terms of use agreements, acceptable use policy and data classification policy.
• Consider the results of previous security audits and assessments, vulnerability scans, and penetration tests when formulating incident response plans and playbooks.
• Implement network segmentation and network policies, which are crucial to realizing the synergy of the acquisition.
• Comprehend the acquired companies threat model.
• Review the state of IoT security.

Other M&A security factors to consider include IT security expenditures, future cybersecurity plans and technology integration roadmap, certifications, regulatory compliance, cyber insurance policies, employee background verification and off-boarding, security operations centers (SOCs), cybersecurity awareness programs, vendor risk assessments, authentication and access controls, encryption, network monitoring, disaster recovery and business continuity planning, organizational structure, and the information security reporting chain.
Once you’ve conducted a security assessment of the company being targeted for an acquisition, what do you do with all that data? Below are three steps to perform post-assessment:

• Map the available systems and processes according to the Deming Cycle, also known as the PDCA Cycle, which stands for Plan, Do, Check, Act. Recently, the National Institute of Standards and Technology (NIST) added “Prepare” as a key step in its Risk Management Framework (RMF).
• If the acquired company is not technologically mature, it may be prudent to employ a third party to conduct an independent security audit, which includes vulnerability scans, penetration tests and custom methods to assess the security posture of the acquired company.
• Evaluate IT security personnel through security questionnaires and interviews.

​What You Need to Know Before Merging IT Systems
Below are some M&A security measures an acquiring company should take before merging IT systems and networks:

• Identify what types of cyber risk(s) the target company faces based on its industry, geography, partners, products, services, customers, and supply chain.
• Study network and system architectures, including known hardware and software vulnerabilities, the IT and OT asset inventory, patching schedule, digital asset management, cloud services, mobile policies, application vulnerabilities, data flows, and more.
• Understand all data handling measures, data privacy and security controls, including how the acquisition target stores, uses and disposes of customer data and their intellectual property. Review any contractual obligations, specifically over data, that the acquired company may have with another company.
• Review the acquired company’s overall security program and culture to verify that it meets regulatory requirements, current industry standards and best practices in the industry.
• Review the existing security policies and audit results with respect to processes (operations), people and technology.
• Investigate any previous charges complaints or litigation around fraud, extortion, ransom, etc.
• Determine if the acquired company defend itself from adversaries or recover if a breach occurred. Will the acquiring company or investors inherent risks they are mature of enough to handle?
  
  

Additional Post-Merger Risk Management Considerations
If you’ve followed the M&A security best practices outlined above, you’ve put your organization in an advantageous position to execute a merger or acquisition securely and confidently. But this is not the end of the due diligence necessary for a secure merger. Below are some security considerations you should keep in mind long after an M&A transaction is completed:

• During and post-merger, implement granular controls for identity and access management (IAM), harden perimeter security, audit logs, and revise security processes and cybersecurity training.
• Invest in automated risk management services to provide guidance and support for automating multiple risk management programs with a single, centralized IT governance, risk and compliance (GRC) platform.
• When in doubt, remember to consult your corporate risk assessment strategy, IT governance strategy, cyber risk mitigation checklist and incident response playbooks.
• Consider establishing an advanced, technical cybersecurity service provider partner if you don’t have one already. It’s crucial to have developed this relationship BEFORE any breach or compromise occurs, as the relationship building, understanding of your network environment, acceptable risk preferences, etc. become more difficult to conduct alongside incident response activity.

 
Conclusion
Cybersecurity due diligence has become increasingly important for M&A transactions. Savvy acquirers understand the potential for significant liabilities resulting from a selling company’s failure to properly identify and handle prior data breaches or other cybersecurity incidents. Less frequently discussed is how a prior cybersecurity incident may impact the value of a selling company, such as when valuable intellectual property has been stolen or when mandatory disclosure of an incident post-acquisition results in significant reputational damage and lost business.
Similarly, a failure to comply with contractual and regulatory requirements may require a buyer to invest significant resources to bring a selling company into compliance and to mitigate privacy and cybersecurity risks.
A thorough and thoughtful due diligence investigation of the selling company’s cybersecurity and data privacy situation is critical for an acquirer to assess the risks and liabilities it may take on by making an acquisition, and whether such risks are relevant to accurately assessing the value of the target company.