Enterprises are constantly threatened by evolving method of cyber-attack. 2019 is also no different as we see evolving cyber-attack that surfaced and already targeted organizations. In this scenario it becomes more important for organizations to understand the ever evolving threat landscape and take appropriate control to protect and be resilient. One of the evolving cyber threats that has come into limelight is from Merger & Acquisitions. Every new deal from M&A also comes with potential security vulnerabilities and that are hard to identify in the first place.
As every industry is adopting digital transformation which in turn is changing their nature of business, customer interaction, data usage and technology, the evolving cyber threat is equally joining the race and posing serious challenges to Merger & Acquisitions. As a part of deal making various organizations are going for mergers and acquisition and at the same time sharing resources ranging from labor, technology, to shared resources and information.This is also leading to acquire the vulnerabilities of the company that is acquired.
Key challenges & security vulnerability arising from new Merger & Acquisition deals
- As per the survey by AON, during the time of merger and acquisitions the bad actors target companies that are being acquired by larger enterprises .This attack mostly happens in between deal, announcement and closing. In this scenario it becomes ever more challenging for deal makers at the time of M& A.
- The cyber security posture of the organization being acquired is another important factor. That gives the rise to question as how strong are the cyber security controls placed in the organization that is being acquired. As per the report findings by AON when it comes to enterprise risk, there is no guarantee that M & A target companies are doing security vulnerability patching.
- In M & A cybersecurity threat is a reality. There are organizations which have been breached at some point or the other or under threat of cyber attack. So at the time of M& A it becomes equally important for organization to go for an independent cyber security assessment. This poses serious challenge as there can be active and unidentified malware posing serious security challenge in the current organization.
- The supply chain of an organization also pose serious threat as organizations move to cloud and strategic outsourced relationship and third parties are getting involved much ever then before to provide services and in the process have access to data .
- “Organizations should look at the supply chain of the company that is being aquired with the same lens that they should look at themselves “Companies should stress-test their own security and should expect and require their suppliers to do the same – move beyond simple vulnerability scanning and truly pressure test their cybersecurity capabilities with Adversary Simulation (Red Team) as well as invest in emerging security technologies to out maneuver their attackers” said Kevin Richards, MD of North American Security and global lead for Security Strategy and Risk at Accenture.
- Data breaches can lower the deals valuation in M& A. This is what happened in 2017 when there was a discovery of data breaches affecting more than 1 billion Yahoo users, Verizon Communications shaved $350 million off its original price offer to acquire the company in 2017, which is about 7% of the original price. As the breach that happened was revealed during the time of merger, the deal also included a liability sharing agreement.
- Attack such as phishing can be a worry some factor for organizations to be acquired. According to AON survey, the figures revealed that nearly 80 million patient records ended up in the hands of foreign government due to persistent attack that began with a phishing email opened by an employee of a large number of insurer’s acquisition target.
- Cyber-attack on companies can also bring down its brand value at the time of M&A. A company that has been acquired will always want to derive profit or maximum return from M&A. Insufficient investment in cyber security can hamper the goals of profit by reducing the value of company and damaging its brand reputation.
What are the steps companies can take to be more proactive in understanding and mitigating the cyber threats associated at the time of Merger & Acquisition
- A risk based approach to cyber threat is required on the part of acquirer. As all deals are not of same type therefore the diligence is also different. Therefore it becomes more important to identify the sources of cyber threat and a process to evaluate the threat landscape. This landscape can vary by industry or region, and higher risk transactions such as acquisitions in certain countries or in sectors that have suffered recent attacks require greater diligence. The PWC survey on “Understanding Cyber Threats due to Diligence” revealed where 64% of respondent said that cybersecurity issues are more difficult when the acquisition target is in a different country.
- Understanding the cyber threats in deals is one of the major activity companies should go about. That can be done through penetration testing of the target environment to better understand its current capabilities and identify the threat incoming zones.
- IT staff must be well prepared and constantly hunt for bad actors and be prepared to face the inevitable day when there is attack and proactively manage their defences. As deal making grows the threat related to cyber security grows even faster.
- In M&A deal the acquirer is expected to gather every security breach or incident that happened previously and may not have been shared publicly. This will lead to answer few more questions as to what level the damage happened and what cybersecurity controls were in place at that time. This will give insight if it is at all viable to do business with an organization which is not serious in protecting its data and intellectual property .Because there always remains potential for future theft are crucial for confirming its value in an acquisition. As per PWC research 85% of consumers said they wont do business with a company if they have serious concern about its security practices.
- The next step will be in understanding the need to work with a specific person who will be able to give a clear picture of cybersecurity credentials of the company to be acquired in a M&A deal. An Accenture research conducted among 2,000 security executives across 12 industries and 15 countries, 70% of the respondents agreed that “cybersecurity at our organization is a board-level concern and supported by our highest-level executives.” The research further revealed that it’s a CISOs who comes as the safest option to work with as it is a CISO only who can provide a significant benefit to the overall M&A due diligence process by helping characterize cyber risk within a transaction.
At the end we can say that for a M&A deal to materialize an understanding of cyber risk is a must. When making a deal, priority should be given to cyber security issues in terms of risk, cost, and compliance to cyber rules and how the data is being protected or are there lapses to it. This also brings into light if the company that is being acquired is also following the compliance with government regulations and global privacy requirements that is required.
Focusing on these areas will help minimize risk associated with merger & acquisitions bringing in more transparency and mitigating risk associated with brand value and equity.
(Image Courtesy: www.shutterstock.com)