In December 2021, Deadline predicted that Media Mergers & Acquisitions should be heating up in 2022. After some monster deals highlighted 2021, the first five months of this year have proven them right.
In January, Microsoft announced it was buying Activision Blizzard for $68.7 billion, while Take-Two Interactive announced it was buying Zynga for $12.7 billion. WarnerMedia and Discover completed their merger in April. Variety reported that Chernin Entertainment is in talks to acquire Red Arrow Studios, Imagine Entertainment is looking to sell a majority stake to Centricus, and ViacomCBS is one of the studios in talks with Bagdasarian Productions.
Almost by definition, mergers and acquisitions (M&A) are fraught with risk. Different management styles and corporate cultures can make even the best-looking fits fall apart. Companies spend months on due diligence, trying to ensure that there are no surprises after the purchase, which brings us directly to cybersecurity.
A few weeks ago, we took a close look at the entertainment industry. Its public nature, high-value assets, and deep pockets make it an ideal target for nation-state grade cybersecurity attacks. Cybercriminals have robbed millions from Hollywood and other entertainment venues over the last decade, and many assets for sale may already have cybercriminals hiding within their assets, waiting for the opportunity to take on a bigger target.
Are You Taking a Cyber-First Approach to M&A?
Poor cybersecurity can have a disastrous effect on a company. While due diligence typically focuses on finance, legal, operations, and HR, oftentimes, cybersecurity posture is completely overlooked or severely downplayed. This can have long-reaching implications. According to Deloitte, an American multinational telecom acquisition of a web services provider saw the price drop by $350M due to a data breach that compromised over 1B data records.
As part of the due diligence process, companies must review their target’s security posture and check for compromised assets that contain dormant malware. Additionally, they should ensure that there are no known supply chain threats, and at the very least create a supply chain risk register to be reviewed and assessed a few times per year.
In Deloitte’s 2021 Role of Cybersecurity in M&A report, they noted one company from 2020 that set aside 5% of the purchase price to cover any fallout from a potential ransomware attack that stemmed from the M&A activity. It also cited that 53% of respondents to a survey stated that their organization “encountered critical cybersecurity issues during the M&A process, which imperiled the deal.” This is actually encouraging, as it demonstrates companies are taking cyberthreats stemming from Mergers & Acquisitions seriously. The targeted company is adding a new addition threat landscape and attack surface, making it crucial to understand any potential threats that could be lurking within the new purchase.
Before the Merger & Acquisition
Entertainment companies merge or purchase other companies for many of the same reasons other companies do – they want to expand their capabilities, add new markets, or increase their assets. Before merging or acquiring a studio or other target, companies should conduct a thorough risk assessment. Begin by looking at the target’s digital footprint, their IT assets, and all online assets to ensure that nothing has been compromised.
Take a data inventory and evaluate its storage and data transfer security processes. You’ll also need to assess whether it meets your company policy and evaluate the cost of integrating the new assets into your existing security network.
In addition, you’ll need to assess the target company’s cybersecurity posture. Evaluate the costs of aligning the acquired assets into your system, and look at the resilience posture of each third party that is included in the acquired company’s supply chain.
Run penetration tests to identify unknown areas of the attack surface, and develop an integration strategy to avoid generating new security gaps when converging the two networks.
A Valuable Negotiating Chip
When cybersecurity issues are prevalent, the entire acquisition has the potential to undermine both companies involved. A haphazard patching culture can lead to attacks through known vulnerabilities that lead to data breaches and millions of dollars in fines. An unreliable supplier can open the gateway to stolen assets and hundreds of millions of dollars paid out in ransoms to protect assets.
When conducting due diligence, look for potential red flags that indicate low effort in cybersecurity. If you do come across them, this may be an opportunity to reduce the price of the acquisition. Keep in mind, though, that there will be significant costs involved in upgrading your acquisition’s security posture to meet your standards. These red flags may also be a deal-breaker.
Few organizations have the resources in place to fully evaluate a target’s IT footprint and ensure that there is a low risk of cyberattacks. To further complicate matters, time pressures and other buyers entering the arena might force an organization to make a deal without conducting cyber due diligence.
Bringing in outside teams to independently assess a target acquisition’s security posture can help move the deal forward. This team should have the skill set to run a cyber readiness assessment on all on-prem and cloud-based assets, perform penetration tests, and check all endpoints for vulnerabilities.
Your team needs to review existing security policies and match them to your policy, so it can point out any structural gaps in place. It also should review any third-party access, check the hardware for routers and other devices that are no longer being supported, and ensure that all software patches have been updated as recommended by the manufacturer or developer.
Their evaluation report should help guide whether you want to move forward with the acquisition or point out problem areas that will need to be addressed and can be used in negotiations.
Interested in learning how we help businesses evaluate the cyber-readiness of M&A targets? Get in touch today!