A study conducted by Forescout Technologies, The Role of Cybersecurity in M&A Diligence, which polled the views of more than 2,700 IT and business decision makers across the United States, France, United Kingdom, Germany, Australia, Singapore and India revealed that 53% of respondents had encountered a critical cybersecurity issue or incident during a M&A deal that put the deal into jeopardy. These results are troubling but not necessarily surprising, M&A deals have been holy grail cyber criminals for a while.
Five years ago, a leading cyber security firm FireEye sounded alarm bells when it discovered that cyber criminals had been hacking more than 100 companies, investment advisers and law firms in search of market-moving information about deals. Since then, high profile M&A related cyber incidents continue to surface with increased frequency and impacts.
When Marriott International acquired Starwood in 2016 for $13.6 billion, it was oblivious of a cyber-attack that dated back to 2014 and had exposed sensitive personal data of nearly 500 million Starwood customers. The implications were deep and lasting. The Marriott example is certainly not isolated. The Yahoo 2016 data breach, in which credentials for more than 500 million users were stolen and went undetected for two years, almost jeopardised its sale to Verizon and resulted in the company’s sale price being reduced by US$350 million in order to seal the deal. In addition to this notable discount, Yahoo was also forced to accept responsibility for ensuing liabilities from shareholder lawsuits and Security and Exchange Commission (SEC) investigations.
Several factors have spurred the rise in M&A related cyber risks, but five stand apart in complexity and implications:
- Cyber criminals have historically exploited the hysteria that characterise M&A activities to target key staff with sophisticated phishing attacks. This risk was highlighted by Australian Cyber Security Centre (ACSC), which cautioned, "During major organisational change, staff may find they are under pressure to accept the validity of requests for data, payment or access from people they don't know, and cannot easily verify the identity and authority of. Adversaries use this pressure to increase the likelihood of successfully using techniques such as business email compromise and CXO impersonation."
- Target organisations, as the Verizon – Yahoo deal brought to light, may be tempted to conceal material cybersecurity issues in their environment, fearing such information may undermine their deal prospects or significantly lower valuations. M&A targets often represent the mythical trojan horse for acquiring entities.
- Integrating dissimilar systems and technologies increases digital complexity, as highlighted in The Five Anchors of Cyber Resilience. Several enterprises are still saddled by jumbles of complex, aged and proprietary applications, referred to as ‘legacy spaghetti’. Complex digital environments are inherently harder to protect as additional technologies may require unique sets of skill sets as well as additional patch windows, hardening guidelines and vulnerability scanning.
- M&A negotiation strategies, pricing and associated sensitive information – such as the target company’s growth strategies or financial projections, taxation issues, contracts, customers, intellectual property and key employees – are a high target for criminals who use them to gain from illegal market manipulation. Also, if this sensitive information falls into the wrong hands, it may dent deal prospects or result in serious regulatory issues.
- Employees of the target company may become anxious about the fate of their jobs and be tempted to export high-value information such as product development plans, proprietary algorithms and client confidential documents to external drives or public cloud environments. This risk is higher for businesses whose prospects depend on the diligent protection of intellectual property, such as high-tech firms. M&A transactions, therefore, heighten insider cybersecurity threat.
Despite the myriad of challenges that threaten the viability of M&A deals and participating firms, M&A risks should be managed just like other business risks. In the section below, we highlight our top ten best practices. For detailed risk management process around M&A, download our CISO Playbook.
- Engage early and bring together both companies’ chief information security officers (CISO), the person who is responsible and accountable to the CEO and board of directors. Perform due diligence on major security incidents and breaches; capture observed top corporate, top information and cyber risks from the register.
- Invest time and effort during the formative stages of the deal. Conduct in depth due diligence looking into cyber security capabilities, key risks, compliance obligations, governance, assurance reports (e.g. SOC 2 Type 2 reports), threat landscape, prior data breaches etc. Embed cyber security into new corporate governance obligations - i.e. charters for new board, risk and audit committee constructs.
- Secure the immediate – communicate clear guidance to those handling highly confidential information (M&A related transactions); secure dealing rooms, clean desk policy, special handing etc. Step up monitoring during the highly confidential stages.
- Consider the people and culture risk. Step up security awareness for all employees and extend to senior executives/board (e.g. cyber threats to personnel, M&A data leakage as a result of human error, theft from both organisations intellectual property by disgruntled employees, etc.) Empower key with knowledge to slow down and be vigilant about sophisticated spear phishing attacks.
- Recognise business security opportunity and value early - embed business focused enterprise security architecture expertise within the integration team to exploit security capabilities, cost savings which support key achieve integration objectives (e.g. cross-selling products, identify duplication, map enterprise security architecture principles to gain value from deployed tools)
- Review the combined regulatory landscape, scope of applicability and identify any toxic combinations (e.g. areas of the business that must be kept separate). Prepare now and take account of incoming directives and legislation that will impact cybersecurity, privacy and broader data protection
- Before day one review cyber resilience and breach response practices - build new playbooks for merged entity, communicate with executive and operational team members so all are clear on how to deal with a major security incident or cyber crisis.
- Know your crown jewels and new threat profile - reinstate what’s mission critical in terms of assets (information, products, business applications, cloud applications etc.) on both sides early support an enterprise risk-based approach to security, delivering good a return on investment.
- Rationalise current security programmes - and consider where there are likely to be areas of duplication. Hold on any major technology investments until both CISO’s have met.
And finally, build a plan for day one and subsequent stages - target operating model for security risk governance and commercial competitive advantage.