Why cyber security is important during Mergers and Acquisitions (M&A)?
“Cybersecurity should be a key consideration in any M&A deal. Ignoring the potential risks could result in serious financial and reputational damage to the combined organization.” – Howard Schmidt, American computer security expert and former White House cybersecurity coordinator.
What would the impact be on your investment if a cyber-attack was to occur one hour, one day, one week or one month after the completion of a newly purchased acquisition? Cyber security due diligence is about protecting your investment and ensuring you truly understand the risks you are buying and what you need to do to make your acquisition as resilient and successful as possible.
Under normal circumstances, M&A transactions are complex, time-consuming, and intrinsically risky.
The acquirer buys or inherits the target’s digital platforms, intellectual property, customer databases, and assets and liabilities. In doing so, they absorb all cybersecurity threats and compliance risks associated with the target’s information systems and any risks associated with its administrative and operational procedures. Failing to carry out a detailed cyber evaluation of target companies as part of the transaction can result in significant financial, legal, and reputation repercussions including business interruption, regulatory investigation, and enforcement fines.
M&A can present a desirable target for cybercriminals due to the large amounts of sensitive data and the potential disruption to operations that can result from a successful attack. Therefore, it is crucial for companies to be aware of the potential risks and to implement appropriate safeguards to protect against cybersecurity breaches.
What kind of cybersecurity problems are most common during M&A?
Several typical cybersecurity problems can appear throughout the merger (and demerger) or acquisition process. These may consist of:
- Lack of visibility into the target firm’s cybersecurity posture: It can be challenging to thoroughly assess the cybersecurity risks of an organisation that is being purchased, especially if the target company has subpar cybersecurity procedures or lacks documentation of its systems and networks. Other common problems include a need for proper audit, asset and change management, application management and overreliance on remote local administration.
- Integration of diverse systems: When two businesses merge, it is common for them to have different IT systems and networks that need to be connected. As the systems are integrated, this procedure may lead to vulnerabilities, making it challenging to discover and fix every potential problem.
- Insider threats: During the merger or acquisition process, employees of both firms may be apprehensive about their future and may be more prone to participate in harmful conduct such as stealing sensitive data or sabotaging systems. Also, the additional workload of integrating systems causes lots of change and distractions, which may mean mistakes are more likely, patching slips and the signs of an attack aren’t detected as quickly as usual.
- Ineffective communication and coordination: To ensure that cybersecurity risks are addressed and managed, it is critical for both businesses involved in a merger or acquisition to communicate and cooperate effectively. However, this may not be easy if there is a communication gap, or many teams are not adequately collaborating.
- Legal and regulatory considerations: Data privacy and cybersecurity may be legal and regulatory issues that must be considered during the merger or acquisition process. These requirements must be followed to avoid serious risks and liabilities.
- Loss of control over corporate systems and data: Employees may lose access to corporate systems and data during a merger, leading to security breaches if proper access controls are not implemented. Often, services (like IT infrastructure computing and hosting or support functions) are retained from the selling party during a migration phase. If service level agreements are missing or wrong incentives are set, this can lead to loss of availability, confidentiality, or data integrity.
- Data breaches: As data is transferred between companies, there is a risk that sensitive information could be exposed or accessed by unauthorized individuals leading to a data breach. Users will be distracted, and often the inherited employees will be less familiar with the security processes and controls.
- Misconfigured systems: As systems and networks are reconfigured, there is a risk that they could be misconfigured, leading to security vulnerabilities.
What practical steps should be planned for security before, during and after M&A?
Pre-acquisition
- Involvement of the CISO and security team: It is imperative to get the CISO and their teams involved in all stages of the M&A deals as they will be vital in protecting the company’s assets and reputation, which is intrinsically linked to the value of the deal. In many cases, CISOs are introduced very late in the deal lifecycle. However, excluding domain experts in compliance and security is risky, as any unaddressed concerns could result in expensive liabilities.
- Conduct a thorough review of the target company’s security posture: It’s common to pay a premium to buy a business, so it’s crucial to identify any potential liabilities to keep the premium in line with the business’s overall value. Undisclosed data breaches are a dealbreaker. Therefore, the most basic step, as simple as it appears, is to identify whether any information is already publicly available that could present a risk of any data breaches in news articles, public filings, and social media.
- Engage with the target company’s security team: Establish a close working relationship with its security team to understand their current security controls, processes, and policies, as well as any identified vulnerabilities or risks, also their culture and attitude to risk. Consider how the M&A event will impact the acquiring company’s existing security controls, regulatory and compliance requirements, and determine if any changes (like streamlining) need to be made to ensure the security posture remains strong.
During Acquisition:
- Independent assessment: The next step is conducting an independent cyber and data security assessment, which will benchmark the business’s cyber resilience against international industry best practices. This assessment will consider every security component of a business to find possible blind spots, potentially highlight where systems may have already been breached, and provide a report detailing remediation requirements. Specialized consultancies like CyberCompare have experience in working with investors or sellers to conduct these assessments in a thorough, cost-efficient, and pragmatic manner.
- Establishing economic values: Translate the independent report’s recommendations into economic values for negotiation. Conduct a thorough cost analysis, considering security alignment for essential services like email and file sharing, more advanced services like development tools and processes and administrative issues like software licencing management and network access. Costs related to risk management and cybersecurity should be negotiated and included in the contract value parameters. Consider establishing an escrow fund to pay for any potential breach during post M&A.
Post – Acquisition
- Develop a plan for integrating the target company’s security posture: Once the M&A event is completed, work with the target company’s security team to develop a detailed plan for integrating their security measures into the acquiring company’s overall security structure. This may include updating policies and procedures, implementing new controls, and conducting additional training identified during the independent assessment.
- Maintain high vigilance: M&A activities often result in high media attention. Therefore, it is vital to maintain a high level of security observation at both businesses for heightened dangers resulting from media exposure. As systems are merged, there may be a slight relaxation of security protocols that could be taken advantage of. Create a strategy for identifying any emerging threats and maintain strict controls. Examples include using a dedicated team to monitor security compliance and detect any anomalies, step up threat intelligence monitoring and ensure risk management includes the newly expanded footprint of the combined businesses.
- Increased cyber resilience: Use this opportunity to simplify and streamline cyber security operations and enhance security posture. It will assist in building trust between partners, suppliers, and customers.
What steps to take if a security breach occurs during M&A?
For most organisations, M&A are not a business-as-usual occurrence, so in many cases, this won’t have been done by your organisation before. It is essential to have discussed this pre-merger and acquisitions and developed a plan as part of the 100-day and first-year integration plans, so people know how an incident will be managed. Therefore, you want to schedule an early practice/simulation or at least a tabletop exercise. Additionally, you will need to know how to escalate to the right people in the newly acquired org and ensure you’ll have the proper support, whether through a TSA with the seller or by ensuring key people are retained. Additional complications to consider include the following:
- You won’t know the systems as well, and the integration may have been rushed, with users and data straddling two environments, so you won’t be as familiar with trying to contain the breach.
- New playbooks won’t have been developed, and the teams aren’t as well-practised at responding.
- Overall, it can be messy with systems halfway through a transition and people in the midst of a re-organisation.
How to determine budget for cyber security and reduce risk of a breach during M&A?
It is difficult to provide an average expenditure on cybersecurity allocated during M&A as the amount can vary significantly depending on various factors. Some factors that may influence the amount of money allocated for cybersecurity during M&A include the size of the companies involved, the complexity of the merger or acquisition, the type of industry in which the companies operate, and the potential risks and vulnerabilities present.
In general, companies may allocate a larger budget for cybersecurity during M&A to ensure that they are adequately protected against potential threats. This may include conducting cybersecurity assessments and implementing appropriate safeguards, such as firewalls, intrusion detection systems, security protocols, and retention of key staff or third parties support in case it is needed in an incident.
To summarise:
- Cybersecurity risks can impact the value of a company: A company’s cybersecurity posture can significantly impact its value, particularly in an M&A deal. Companies with solid cybersecurity measures are likely to be more attractive to potential acquirers, as they are seen as less risky.
- Cybersecurity due diligence is essential: Organizations need to conduct cybersecurity due diligence before an M&A deal to identify potential vulnerabilities or weaknesses that could impact the security of the combined organization.
- Cybersecurity should be integrated into the M&A process: Cybersecurity should be integrated into all stages of the M&A process, including the planning and negotiation phases. This can help identify and address potential risks before the acquisition is completed.
- Cybersecurity risks can be managed: While there are always risks associated with M&A, particularly when it comes to cybersecurity, these risks can be managed through careful planning and the implementation of appropriate measures.
- Cybersecurity is a key business issue: Cybersecurity is not just an IT issue but a business issue that can have significant financial and reputational consequences. As such, it is important to prioritize cybersecurity in the context of M&A.
We highly recommend that organizations plan for security prior to starting and during the M&A process to limit the negative outcomes of realized risk. We understand that the planning process can be exhausting when comparing unique risks and controls in a quickly developing M&A landscape. CyberCompare can happ
Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.