Securing M&A with cybersecurity focus

Securing M&A with cybersecurity focus

Avatar photo
Hwei Oh
6 min read
Share this article:

Last year, mergers and acquisitions reached their lowest level in a decade but are now picking up again, says a report by PwC. However, the down market, geopolitical factors, and the immense growth in the use of digital technologies mean the approach to M&A deals will look very different in 2024.

And cybersecurity tops the list of factors that need to be revisited.

The 2020 pandemic drove companies towards digital transformation. This trend, which became central to many business models, also significantly increased their potential attack surface.

As we’ll explore in this post, failure to discover security weaknesses in a target company early during the M&A process can lead to disastrous—and very expensive—consequences for the acquirer, even years after the acquisition is completed. With the increased adoption of digital solutions and the M&A trend of software companies, cybersecurity risk may become a primary factor in determining the long-term value of an M&A deal.

The M&A process itself might expose organizations to new risk

One important aspect to understand is that the M&A process itself might open organizations to data breaches. This happens for two reasons:

  1. Companies involved in a deal need to share sensitive information during the initial phase as well as during the execution phase. This exchange of data is subject to all the usual risks associated with data transfers, except that now the data is being transferred en masse, and almost all of it is sensitive.
  2. Secondly, companies involved in an M&A deal must also migrate assets and systems. This might include consolidating payroll systems, shifting employee information from one database to another, or changing the ownership of contracts and platforms.

Both situations are dream scenarios for hackers, making the M&A process a prime target for attempted breaches, if an organization doesn’t prioritize having the right security controls.

As part of the M&A process, companies must implement secure ways to transfer information and migrate systems. This would include measures such as:

  • Encrypted email communications.
  • Specialized systems for data transfer.
  • Ensuring that third parties are trusted and secure to avoid supply chain hacks.

Warranty and indemnity clauses should be included in any deals to ensure that the target company complies with the cybersecurity aspects of the transaction. If the target company knows it will be on the hook for indemnity clauses should it fail to take adequate security precautions, it’s far more likely to double down on efforts to ensure security stays active during data transfers.

However, warranties and indemnities are tourniquet remedies. The ideal solution would be to prevent the wound—the cyberattack—from happening in the first place. That means it’s vital to work with the target company to ensure the process happens as securely as possible. Hiring an external security partner to oversee the process and ensure all best practices are being followed is also advisable.

The M&A process is a frequently targeted industry

In 2021, the FBI announced that threat actors had started targeting companies who were “involved in significant, time-sensitive financial events” such as mergers and acquisitions. These threat actors would then target such companies with ransomware and threaten to reveal sensitive data to the public, exposure that would be catastrophic in any M&A deal process.

For companies with a weak cybersecurity posture, a targeted attack could leak sufficient data to not only crash the M&A deal but also ruin the target company in the process. These kinds of attacks might also be launched as APTs, advanced persistent threats.

In 2022, investigators discovered a corporate espionage threat actor called UNC3542 (since named APT29) that snooped on corporate emails, looking specifically for large-level transaction details and data of upcoming M&As. The threat installed itself on network devices and operated for at least 18 months before being detected, which is far longer than the 21 days during which similar threats typically operate.

Attackers recognize that cybersecurity has been mostly an afterthought in the M&A process, making it a juicy target. Given that so much sensitive data can be exposed during this process, the potential rewards for hackers who breach it are high. Companies need to adapt to this new normal of risk when it comes to M&A.

The bare minimum due diligence isn’t enough

Cybersecurity incidents or data breaches that occur late in the M&A process can have a massive impact on deal profitability. A study by Forescout found that 53% of M&A deals were jeopardized when a security incident occurred.

Incidents that occur early during the process could significantly lower the target’s valuation. Yahoo’s valuation dropped by $350 million in an M&A deal with Verizon after the internet giant revealed three mega data breaches that compromised over 1 billion customer accounts.

Perhaps one of the most illustrative examples of minimum due diligence not being enough happened to Marriott International. The company had to pay an £18.4-million ($23.8-million) fine in 2018 for the breach in a database of acquired company Starwood. What makes this example poignant is that Starwood suffered the breach before Marriott acquired it. However, Marriott footed the bill. Here’s how the timeline played out.

  • 2014: Starwood’s database is breached.
  • 2016: Marriott acquires Starwood but doesn’t uncover the data breach during its due diligence, so the breach continues for two more years.
  • 2018: The breach is discovered and Marriott suffers the consequences.

In total, hackers exfiltrated 500 million records and Marriott had to pay a massive fine for violating European privacy laws.

Many more examples exist, but the message is clear: Successfully managing risk during the M&A process requires extensive cybersecurity due diligence.

Your portfolio is only as strong as your weakest link

Firms with large portfolios must consider the cybersecurity threat of every company in their group. Data sharing means that attackers often need only compromise the weakest link to obtain a treasure trove of data belonging to the larger corporations in the group.

This approach is similar to a supply chain attack where hackers infiltrate weaker vendors that serve larger companies as part of a supply chain. Notorious examples of successful supply chain attacks include:

  • SolarWinds: An attack on this vendor affected multiple corporate giants (Microsoft, Deloitte, Intel, and others) and government agencies.
  • MOVEit: This supply chain attack led to the compromise of hundreds of organizations, including giants such as EY and Bank of America.

Welcoming a weak link into your portfolio of companies potentially threatens every company in that portfolio. This is why it’s so important to conduct comprehensive due diligence to ensure there’s no low-hanging fruit of an exposed company.

The essentials for comprehensive cybersecurity due diligence

Okay, so that’s all the bad news. The good news is that proper due diligence is possible. Step one in achieving this is to adopt a security-first mindset and to recognize that the digital-first nature of a post-pandemic world makes due diligence of cybersecurity during M&As crucial.

To achieve comprehensive cybersecurity due diligence, do the following:

  1. Take a proactive role in the cybersecurity aspect of the due diligence process.
  2. Recognize that seeing whether basic controls and systems are in place isn’t enough for comprehensive due diligence.
  3. Minimally, you should look deeply into:
    1. A target’s detection and response capabilities.
    2. Their incident response strategies.
    3. Whether they have cyber insurance.
    4. Whether their solutions can handle complex environments.

The rule of thumb is to look for more than just prevention tools.

Investing only in prevention tools is an outdated form of cybersecurity protection. Although such tools still form an essential part of any robust security posture, threat actors these days use far more sophisticated methods to infiltrate networks, including social engineering and credential theft.

When performing due diligence for a target company, check that the company has effective solutions in place such as EDR (Endpoint Detection and Prevention) or a modern form of MSSP (Managed Security Service Provider), that cater to these new threats and risk factors. If such solutions are missing, operate on the assumption that the target has already been compromised, and insist on an exhaustive analysis until you’re confident that no past compromise has occurred.

Cybersecurity due diligence doesn’t have to be done in isolation

Comprehensive due diligence may be a tall ask. Leaders might not have the cybersecurity expertise required to ensure that every aspect of a company’s cybersecurity has been covered so bringing in a third-party expert can help immensely.

Cybersecurity is a dynamic sector, and professionals need to be constantly updated on the latest threats and technologies. Even if the target company has an in-house team, it’s often unlikely that the team will be fully equipped to handle the increased risk associated with the M&A process.

Post-M&A, a third-party vendor can also ensure that the new structure is equipped with proactive and comprehensive protection.

SolCyber is one such vendor, offering the full gamut of cybersecurity services from detection through remediation and recovery. To learn more about how SolCyber can help during the entire M&A process, reach out to us for a no-obligation call.

Avatar photo
Hwei Oh
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

The world doesn’t need another traditional MSSP or MDR or XDR.
What it requires is practicality and reason.

And security that won’t let you down. It's time to put an end to the cyber insanity once and for all.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more juggling multiple technologies and contracts.

Follow us!


Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

SolCyber. All rights reserved
Made with
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo