When a private equity firm had acquired a midsized manufacturer late last year, little did they know that someone else had set on the same target as well. Just two months after it was purchased, a cybercriminal organization launched a crippling ransomware attack that locked up the manufacturer’s systems. The acquirer eventually paid $1.2 million to have their systems released, a risk they did not account forSte during the M&A process.
When buying a company, remember that you are taking on new cyber vulnerabilities and risk
Similar to financial debt and liabilities, when an acquirer buys a company, they are essentially assuming all cyber vulnerabilities and the entire risk profile of the business. A single miscalculation or underestimation of cyber risk can lead to severe consequences like erosion of share price, loss of reputation and exposure to lawsuits and investigations. For the seller, any leak in financial or customer information, intellectual property or confidential data can make them lose their competitive advantage, reduce the company’s valuation (recall Yahoo-Verizon) or eventually become a deal breaker (trigger a MAC provision) in the process.
While it’s typical for potential investors to assess financial, legal, operational and reputational risks, data shows that less than 10% of deals involve scrutiny of cyber security practices. To top it off, the FBI has warned that opportunistic cybercriminals have been going after M&A deals. M&As are considered low-hanging fruit: People are distracted, there’s big money involved and integration of people, processes and technology can expose exploitable loopholes.
Always perform a cyber security assessment before completing an M&A deal
On the upside, Gartner predicts that 60% of organizations will see cyber security risk as a primary deciding factor in third-party transactions by 2025. This is because cyber diligence favors both buyer and seller. For the buyer, a $50,000 assessment can potentially save $5 million of risk exposure or loss of IP. Additionally, it can also provide better visibility of the cyber security-related costs that the acquirer might incur during integration. Such insights help buyers view a fuller picture and negotiate better terms of acquisition. For the seller, performing a risk assessment in advance helps fix problems before they come to the attention of the buyer, provides a third-party endorsement and instills greater confidence in valuation estimation.
Bring your chief information security officer into the deal negotiations
It’s common for CISOs to be left out in the cold when a deal is being negotiated. IBM attributes two main reasons for this: the inexperience of security teams with the M&A life cycle and the need to keep the number of people with knowledge of the transaction at a minimum.
Security leaders must learn to speak the language of the business. When CISOs form meaningful relationships with other business leaders, they have a chance to participate in the conversation early. The idea is not to push one’s own agenda but instead offer observations and recommendations that add value to the deal.
For example, during the pre-acquisition phase, it’s common for businesses to think of cyber security as something that can be dealt with at a later point in time. However, this phase is when information leaks, speculations rise and competition gets alerted.
Consider security throughout all stages of the acquisition process
Security can play a major role during the closing and the post-acquisition process as well. When due diligence kicks off, security leaders can dish out a list of high-level security questions that are tailored to the target’s infrastructure. This can offer an initial view on the overall security posture, allowing them to determine if more scrutiny is necessary.
The integration phase is the point when security teams become responsible for the acquired entity. This is where security leaders can help establish new procedures and policies for the newly merged entity. In post-acquisition when the buyer assumes full risk, certain systems may not be fully integrated yet, so there might be a number of weak spots in the business. Cybercriminals have now read the PR and are aware an integration is underway. There is also heightened internal risk posed by disgruntled employees.
Sixty-five percent of companies experience regret in making an M&A deal due to cyber security concerns. This is likely due to the fact that more than half of companies wait to perform any cyber security audits until after due diligence is performed.