Cybersecurity is not the first item that jumps into your head when talking about mergers and acquisitions. Yet, an in-depth look at the cybersecurity strategy and history of the company targeted for acquisition can lead to substantial cost reduction.
More than one deal has been significantly impacted by cybersecurity issues:
- The Verizon/Yahoo! $350 million decrease in the initially agreed-upon price, following Yahoo’s disclosure of two massive breaches in previous years
- The £18.4 million fine by the U.K. Information Commissioner’s Office imposed on Marriott International two years after it acquired Starwood Hotels, for an undiscovered data security incident preceding the acquisition.
Given cybersecurity’s potential short and long term impact on a merger and acquisition, it is important to pay particular attention to:
- Overlooked vulnerabilities – this requires running an independent assessment of the planned acquisition’s cybersecurity posture
- Re-assessing the security score of known vulnerabilities
- Thorough evaluation of the planned acquisition’s supply chain
Lethal Mergers & Acquisitions Cybersecurity Risk Factors to Be Aware Of
Traditionally, mergers and acquisitions’ due diligence focuses on business aspects such as Finance, Legal, Business, Operations, Human Resources, and IT. Cybersecurity on the other hand is given only a cursory glance despite the potential risks it carries. This is a potentially costly oversight. The acquired company’s cybersecurity posture needs to be checked on multiple levels
At the acquired company level, the acquiring entity should:
- Evaluate the acquired company’s overall security posture
- Ensure that the acquired company is not compromised, either:
- Directly: through exploited vulnerabilities that enabled threat actors to leave a dormant malware
- Indirectly: through the supply chain where one or more supplier’s security posture is porous and might hide undetected vulnerabilities or be used by threat actors as a point of entry.
At the structural level, the acquiring entity needs to:
- Integrate the acquired business digital infrastructure, which requires connecting and securing multiple access points and gateways. Account for all the additional endpoints and integrate them into the overarching cybersecurity infrastructure.
- Update the access privileges of the acquired business third-party suppliers to minimize the risk of supply-chain attacks.
At the Merger and Acquisition communications level, both entities should:
- Secure communication channels to ensure that:
- Technologies used to share confidential documents are safe from spyware, malware, or ransomware injection
- Deal-related exchanges – by phone, email, chat, or other – are not compromised
- All participants are security trained and aware of the heightened risk of being targeted for spearfishing
- Collect cyber intelligence to evaluate whether news of the upcoming merger and acquisition has generated increased interest from malicious parties or hostile nation-states.
What Are the Cybersecurity Steps to Take Before a Mergers and Acquisitions Process?
The inherent cybersecurity risks associated with the mergers and acquisitions process might lead to a significant reduction in price, or could even lead the acquiring body to opt-out of the process entirely. Therefore, the following should be kept in mind throughout the M&A process:
- Conduct an in-depth cybersecurity assessment of the digital footprint, IT assets, and all online assets being acquired, to detect any vulnerabilities and ensure that none are compromised. Hire a third-party auditor as needed.
- Evaluate the acquired entity’s liability in terms of cybersecurity risk and quantify it to reduce the acquisition price.
- Take a data inventory, including an in-depth evaluation of its bulk and storage data transfer security procedures.
- Assess the cybersecurity posture and maturity of the acquired entity, based on security standards such as NIST, CIS, ISO 27k, etc. The next step is to evaluate the cost of:
- integrating their cybersecurity systems with those of the acquiring entity
- bringing the acquired entities cybersecurity posture in line with the acquiring entities
- Compliance requirements
- Assess the cybersecurity posture of the acquired entity’s networks and applications and evaluate the cost of aligning them with those of the acquiring entity.
- Assess the resilience posture of each third-party included in the acquired entity’s entire supply chain.
- Assess the acquired entity’s privacy policies and data storage policies, and their compatibility with the acquiring entity’s compliance requirements.
- Run penetration tests to identify potential unknown areas of the attack surface.
- Create an integration strategy to avoid generating critical security gaps when converging the acquired and the acquiring networks.
- Calculate the negotiation margin based on the cybersecurity findings.
The last point might not be directly cybersecurity linked but could nevertheless yield a significant decrease in the merger and acquisition original price estimate. It therefore justifies the expense and time investment of these steps as an integral part of the mergers and acquisitions process, even without considering the invaluable potential long-time savings from the punitive cost of an inherited infected vector or hidden exploitable vulnerability in the acquired entity.
Don’t Cut Corners
Cutting cybersecurity corners when running a pre-mergers and acquisitions due diligence is a mistake. In some instances, depending on the size of the companies involved in the process, hundreds of millions of dollars are at stake, ranging from fines to legal costs, IP and data loss, direct and indirect loss of business, to reputational damages.
Acquiring or merging with an external entity implies absorbing its entire digital footprint, including the cybersecurity threats and the risks associated with the acquired applications, information systems, and supply-chain.
Working on a Merger & Acquisition? Speak to one of our experts to learn how we can help you navigate the process in the safest way possible