Mergers and acquisitions (M&A) are on the rise post-COVID-19, as ongoing digital transformation has more companies acquiring others to enhance existing capabilities, reach new markets, or reduce competition.
While mergers and acquisitions already involve many factors contributing to their risks and impacting the decision-making process, the evolving cyber threat landscape makes this even more complex. This post will examine cybersecurity considerations for successful mergers and acquisitions to mitigate the cyber risks before, during, and after the M&A transition process.
The Importance of M&A Cybersecurity
Businesses are increasingly giving cybersecurity the attention it deserves to facilitate successful mergers and acquisitions. It’s estimated that almost 60% of firms going through an M&A transaction last year considered cybersecurity posture a critical part of their due diligence processes.
Furthermore, most respondents to a Forescout survey cited technology acquisition as their M&A priority, with cyber risk post-acquisition being their top concern. In the current threat landscape, cybersecurity concerns, such as discovering an unreported data breach, are enough to cause deals to fall through.
However, cybersecurity due diligence is not only essential for just the acquiring company. Insufficient security policies and procedures on the part of the target firm can jeopardize an M&A deal. In one of the most well-known M&A valuation catastrophes, Verizon slashed Yahoo’s deal price by a massive $350 million during the evaluation phase due to Yahoo’s security breaches.
Excellent cybersecurity benefits both sides of the M&A process. A clean bill of health concerning cybersecurity can make a target firm more attractive, and cybersecurity best practices on both ends make for a smoother, more secure transition period.
Cyber Risks in the M&A Process
More than half of respondents to the survey mentioned earlier said their organizations endured critical cybersecurity issues while going through the M&A process, risking negotiations. Poor cybersecurity can slow the acquisition process because security issues and c must be remediated before the acquisition. Failing to do so exposes the original business and its supply chain. The cost and time required to fix serious cybersecurity issues can jeopardize a deal.
Technological integration due to upgrading technology during a merger can involve risk from unforeseen cyber attacks. Full hybrid integration presents challenges, including incompatibility and scaling issues, as firms aim to integrate new technologies with legacy systems.
This kind of technological disruption could mask unusual activity on the system that would otherwise be identified as malicious or unauthorized access. An example is when Marriott experienced a data breach in 2018 from their Starwood brand due to a previous data breach involving the IT infrastructure and poor system integration to Marriott’s systems.
The acquired infrastructure may have cybersecurity threats within, such as undetected malware and access management issues. The acquiring firm must identify and remediate pre-existing vulnerabilities to protect both businesses and the supply chain.
IoT devices have also made M&A activities riskier as they have contributed to converging traditional IT with operational technology. The increased connectivity has increased attack surfaces and exposure to hackers, including competitive adversaries that may wish to steal confidential data or intellectual property, disrupt businesses, or sabotage mergers.
The increased number of IoT devices also means that it’s increasingly likely that auditors will miss or overlook some during security assessments. Since cybersecurity is only as strong as its weakest link, every unvetted IoT device should be considered a serious risk to information security.
Information Technology (IT) Resiliency
Another major risk during a merger & acquisition process is the risk that there will be one or more extended periods when IT resources are overburdened while the firms integrate technologies. It’s a time of high risk for both companies as necessary network activities can make them vulnerable.
Cybercriminals may be watching the merger to leverage this vulnerability with a cyber attack that compromises information security, such as phishing or ransomware, or functionality of business processes, such as Distributed Denial of Service (DDoS).
An M&A process means two sets of critical data are at stake. The acquiring company, therefore, must take steps to identify, assess, and mitigate the risks of both companies to maintain information security.
Lack of Information
Especially in the case of small to medium-sized organizations, the acquiring company may need more documentation regarding cybersecurity policies and practices. This gap makes it hard for acquiring companies to assess the cybersecurity risk of the acquisition, which may expose them to cyber threats.
Performing due diligence in such a circumstance is likely to take longer and be more labor-intensive than when acquiring a firm with up-to-date records on its cybersecurity practices and a good understanding of its security posture.
While a business can perform penetration testing and conduct surveys to learn more about the target firm’s security posture, the results will not be as comprehensive or accurate as examining a firm’s cybersecurity system event logs. If the acquiring firm cannot find the information it needs to make an informed decision about the target firm’s cyber risk, it must decide whether to abandon the M&A process or proceed with caution.
While a merger and acquisition process may have a clear structure on paper, firms can expect disruption as they work out new roles and responsibilities and attempt to homogenize procedures and operational practices. In many cases, there will be changes of location to consider, as well as potential job losses and dissatisfaction among some employees.
With so many factors in a period of change, maintaining stable information systems and cybersecurity can be challenging. Companies with the most mature and advanced cybersecurity controls will fare best when identifying, managing, and mitigating M&A cybersecurity risks.
Cybersecurity Considerations Throughout the M&A Lifecycle
The M&A process is not the sole responsibility of the acquiring company. To make the transition as smooth as possible, the two firms must be open and collaborative at every stage. The acquiring organization needs to clearly define five key areas for effective cyber risk management during the M&A process:
- Governance — This refers to the organizational structure and the roles and responsibilities regarding information security management.
- Policies — This should include all policies regarding minimum standards for the protection of information.
- Managerial Processes — The acquiring firm must detail its processes used to manage and monitor information security risks.
- Tools and Technology — The acquirer should strengthen its cybersecurity tools and adopt new technology where necessary to provide adequate protection to information security during the risky M&A process.
- Risk Metrics — This allows risk to be measured in a standardized way, facilitating essential communication with multiple leadership levels.
The following are cybersecurity considerations businesses will need to prioritize as they move through the M&A lifecycle.
Before the M&A Process
At the earliest stage of the M&A lifecycle, the acquiring firm must take reasonable measures to ascertain the security of the target organization’s environment.
The acquirer needs to learn about the security controls it has in place and the maturity of its cybersecurity and cybersecurity culture — its behavior, attitude, and practices that relate to cybersecurity and cyber risk. Assessing the target organization’s cybersecurity culture is essential because most data breaches involve human error.
Before making an offer for an organization, the acquiring firm should perform cybersecurity due diligence to assess the target firm’s legal status regarding regulatory compliance, security policies, and fourth-party risk. This is particularly important for heavily-regulated industries, including healthcare and the financial sector.
Note that some risk is acceptable, depending on how impactful those risks are on the business. The acquiring firm must determine its risk tolerance and identify whether acquiring the target firm falls within those acceptable limits.
The acquirer should perform a detailed risk assessment to understand the risk of acquiring the target company. The assessment will provide information on the potential impact of risks and vulnerabilities and how they might be mitigated.
Even after a risk assessment, the acquiring firm should take action to find threats and vulnerabilities. These further steps might include passive threat hunting and extensive searches of publicly available information to detect possible data leaks.
Companies must discover the probability of data breaches because a merger can make both companies vulnerable to cyber attacks. A successful data breach could damage business operations, trust, reputation, and revenue.
During the M&A Process
After the initial stage of the M&A process, the acquiring firm needs to consider the kind of integration it proposes. Depending on the acquiring firm’s key business objectives, this might be full, hybrid, or soft.
The kind of integration will determine the work required and the potential risk of the merger or acquisition. This level of detail is necessary to develop a robust risk management strategy.
To promote as secure and efficient a transition as possible, the acquiring and the target company must establish agreed-upon roles and responsibilities within their organizations.
An in-depth review of the target company’s information security processes and procedures will ensure they align with those of the acquiring company. Standardizing the two organizations’ information security procedures should make risk management more efficient and effective.
Discovering an undisclosed data breach during these security assessments is a major issue as it calls the integrity of the business into question and exposes the potential acquirer to reputational damage and unforeseen security problems.
While there may be pressure to complete the merger or acquisition quickly, proper security assessments at this stage are a vital part of cybersecurity due diligence. To effect the necessary security controls promptly and ensure the safety of the acquiring organization, firms typically lean on external auditors and cybersecurity teams specializing in M&A transactions to help.
When the M&A deal is signed legally, the acquiring firm may take more intrusive actions to determine the cyber risks of acquiring the target company. These steps might involve penetration testing and more active threat hunting. Identifying and mitigating as many critical vulnerabilities and potential causes of security breaches as possible is imperative before the firms attempt to integrate.
At this stage of the M&A lifecycle, endpoint protection and response (EDR) and continuous monitoring of networks can be extremely helpful. Significant risks can increase with the integration of networks. The threats may be from cybercriminals or competitors, who will be aware of the potential for sabotage, corporate espionage via spyware, and business disruption.
Both organizations would benefit from the highest levels of cybersecurity possible at this stage, including 24/7 monitoring and real-time threat detection.
After M&A Integration
After signing the M&A deal, the acquiring company needs to define Key Risk Indicators (KRIs) and monitor them throughout the integration process to ensure that risk levels remain within acceptable limits.
Even if preliminary evaluations have not identified security risks, it’s vital to recognize that threats may exist or arise in the later stages. Continuous monitoring and use of cyber threat intelligence will help organizations maintain security operations that can adapt to unforeseen threats.
It’s also the time to remediate any vulnerabilities identified up to this point. As with the Key Risk Indicators, it is essential to define a way of measuring the effectiveness of those security measures and to assess them regularly.
In addition to integrating the two organization’s vulnerability remediation measures, they need to integrate their cybersecurity systems, including all information security policies and procedures. This must include updated incident response plans, with clear instructions regarding stakeholders, roles, and responsibilities that staff can refer to during a cyber incident such as a data breach or DDoS attack.
As the two businesses are aligned and settle into the post-acquisition phase, it’s essential to continue monitoring information security. As during the main part of the acquisition process, monitoring should be around-the-clock. The acquiring Chief Infomation Security Officer (CISO) or similar position must ensure that the target firm’s cybersecurity meets the buying firm’s requirements for confidentiality and integrity, following the same policies and procedures.
The post-M&A period remains a vulnerable time for companies, so they must remain vigilant. They also need to maintain their focus on how they respond to cyber incidents to ensure that the new structure or structures are resilient in the face of cyber attacks.
This might be achieved via cybersecurity drills, simulated phishing attacks, and other techniques to test the readiness of the incident response plan and how prepared the organizations are for a cyber attack.
While companies assess their targets’ operational and financial situations, they must also thoroughly assess target firms’ security postures. Realizing that a firm has significant vulnerabilities needs to happen before a takeover and not after.
Moreover, a firm’s cyber threat level increases as soon as word goes out that a merger is being discussed, so cybersecurity must be a critical factor throughout the entire merger & acquisitions process.
A business going through M&A needs to:
- Thoroughly assess its internal IT infrastructure
- Assess the information security of the target firm
- Ensure top-level security throughout the integration process;
- Implement security measures to promote resilience in the event of a cyberattack following a successful merger
Considering the complexity of mergers and acquisitions in the current business ecosystem, it’s normal for firms of all sizes to solicit help from IT service providers to reduce cyber risks. Conducting due diligence and performing internal and external audits requires specific skills.
Firms with a solid M&A cybersecurity strategy, patching practices, AI and cybersecurity automation technology, application security systems, and security information and event management (SIEM) tools have robust resources and gather accurate information to complete mergers and acquisitions more quickly and securely than firms that fail to prioritize M&A cybersecurity.