Last year, mergers and acquisitions reached their lowest level in a decade but are now picking up again, says a report by PwC. However, the down market, geopolitical factors, and the immense growth in the use of digital technologies mean the approach to M&A deals will look very different in 2024.
And cybersecurity tops the list of factors that need to be revisited.
The 2020 pandemic drove companies towards digital transformation. This trend, which became central to many business models, also significantly increased their potential attack surface.
As we’ll explore in this post, failure to discover security weaknesses in a target company early during the M&A process can lead to disastrous—and very expensive—consequences for the acquirer, even years after the acquisition is completed. With the increased adoption of digital solutions and the M&A trend of software companies, cybersecurity risk may become a primary factor in determining the long-term value of an M&A deal.
One important aspect to understand is that the M&A process itself might open organizations to data breaches. This happens for two reasons:
Both situations are dream scenarios for hackers, making the M&A process a prime target for attempted breaches, if an organization doesn’t prioritize having the right security controls.
As part of the M&A process, companies must implement secure ways to transfer information and migrate systems. This would include measures such as:
Warranty and indemnity clauses should be included in any deals to ensure that the target company complies with the cybersecurity aspects of the transaction. If the target company knows it will be on the hook for indemnity clauses should it fail to take adequate security precautions, it’s far more likely to double down on efforts to ensure security stays active during data transfers.
However, warranties and indemnities are tourniquet remedies. The ideal solution would be to prevent the wound—the cyberattack—from happening in the first place. That means it’s vital to work with the target company to ensure the process happens as securely as possible. Hiring an external security partner to oversee the process and ensure all best practices are being followed is also advisable.
In 2021, the FBI announced that threat actors had started targeting companies who were “involved in significant, time-sensitive financial events” such as mergers and acquisitions. These threat actors would then target such companies with ransomware and threaten to reveal sensitive data to the public, exposure that would be catastrophic in any M&A deal process.
For companies with a weak cybersecurity posture, a targeted attack could leak sufficient data to not only crash the M&A deal but also ruin the target company in the process. These kinds of attacks might also be launched as APTs, advanced persistent threats.
In 2022, investigators discovered a corporate espionage threat actor called UNC3542 (since named APT29) that snooped on corporate emails, looking specifically for large-level transaction details and data of upcoming M&As. The threat installed itself on network devices and operated for at least 18 months before being detected, which is far longer than the 21 days during which similar threats typically operate.
Attackers recognize that cybersecurity has been mostly an afterthought in the M&A process, making it a juicy target. Given that so much sensitive data can be exposed during this process, the potential rewards for hackers who breach it are high. Companies need to adapt to this new normal of risk when it comes to M&A.
Cybersecurity incidents or data breaches that occur late in the M&A process can have a massive impact on deal profitability. A study by Forescout found that 53% of M&A deals were jeopardized when a security incident occurred.
Incidents that occur early during the process could significantly lower the target’s valuation. Yahoo’s valuation dropped by $350 million in an M&A deal with Verizon after the internet giant revealed three mega data breaches that compromised over 1 billion customer accounts.
Perhaps one of the most illustrative examples of minimum due diligence not being enough happened to Marriott International. The company had to pay an £18.4-million ($23.8-million) fine in 2018 for the breach in a database of acquired company Starwood. What makes this example poignant is that Starwood suffered the breach before Marriott acquired it. However, Marriott footed the bill. Here’s how the timeline played out.
In total, hackers exfiltrated 500 million records and Marriott had to pay a massive fine for violating European privacy laws.
Many more examples exist, but the message is clear: Successfully managing risk during the M&A process requires extensive cybersecurity due diligence.
Firms with large portfolios must consider the cybersecurity threat of every company in their group. Data sharing means that attackers often need only compromise the weakest link to obtain a treasure trove of data belonging to the larger corporations in the group.
This approach is similar to a supply chain attack where hackers infiltrate weaker vendors that serve larger companies as part of a supply chain. Notorious examples of successful supply chain attacks include:
Welcoming a weak link into your portfolio of companies potentially threatens every company in that portfolio. This is why it’s so important to conduct comprehensive due diligence to ensure there’s no low-hanging fruit of an exposed company.
Okay, so that’s all the bad news. The good news is that proper due diligence is possible. Step one in achieving this is to adopt a security-first mindset and to recognize that the digital-first nature of a post-pandemic world makes due diligence of cybersecurity during M&As crucial.
To achieve comprehensive cybersecurity due diligence, do the following:
The rule of thumb is to look for more than just prevention tools.
Investing only in prevention tools is an outdated form of cybersecurity protection. Although such tools still form an essential part of any robust security posture, threat actors these days use far more sophisticated methods to infiltrate networks, including social engineering and credential theft.
When performing due diligence for a target company, check that the company has effective solutions in place such as EDR (Endpoint Detection and Prevention) or a modern form of MSSP (Managed Security Service Provider), that cater to these new threats and risk factors. If such solutions are missing, operate on the assumption that the target has already been compromised, and insist on an exhaustive analysis until you’re confident that no past compromise has occurred.
Comprehensive due diligence may be a tall ask. Leaders might not have the cybersecurity expertise required to ensure that every aspect of a company’s cybersecurity has been covered so bringing in a third-party expert can help immensely.
Cybersecurity is a dynamic sector, and professionals need to be constantly updated on the latest threats and technologies. Even if the target company has an in-house team, it’s often unlikely that the team will be fully equipped to handle the increased risk associated with the M&A process.
Post-M&A, a third-party vendor can also ensure that the new structure is equipped with proactive and comprehensive protection.
SolCyber is one such vendor, offering the full gamut of cybersecurity services from detection through remediation and recovery. To learn more about how SolCyber can help during the entire M&A process, reach out to us for a no-obligation call.