M&A Cybersecurity - Biggest Risks and Best Practices
When merger and acquisition deals are announced publicly, both the buying and selling companies become targets for M&A cybersecurity risks. Vulnerabilities appealing to hackers often appear during the transition period. Pre-existing risks may also be hidden in the target that can cause future severe liabilities for your company.
Managing cybersecurity in M&A deals usually takes a back seat to valuation and synergy expectations. However, in a recent IBM survey, one-third of executives stated that they had experienced data breaches due to activity during M&A. But more than half of companies wait until after performing due diligence to address cybersecurity, giving hackers a window of opportunity.
The key to changing this M&A mindset that renders companies vulnerable is to view cybersecurity as a balance sheet liability. Many companies have experienced substantial losses because they were infiltrated during M&A deals by hackers seeking short- and long-term benefits. It would be best if you addressed possible exposure early in the deal evaluation.
You can manage cybersecurity risks in M&A by examining cyber during due diligence, quantifying the risk, and transferring liability through insurance. Let’s explore cyber due diligence in M&A, how to assemble a cybersecurity due diligence team, the most substantial risks, and the best practices for managing cybersecurity in M&A.
What Is Cyber Due Diligence in M&A?
Cybersecurity due diligence is a process revealing a range of M&A cybersecurity deal issues, hidden costs, and risks before proceeding with the deal. Technical, operational, and governance assessments determine risk levels in combining entities.
A comprehensive cybersecurity due diligence report may reveal these issues impacting investment viability:
- Cybersecurity risks
- IT hygiene concerns
- Attack surface exposure
Cybersecurity due diligence is essential for ascertaining unknown liabilities that buyers may assume during M&A transactions, reducing investor capital risk, and giving deal teams a competitive edge in negotiations to enhance returns.
The Cyber Risk Due Diligence Team
When a dedicated cyber risk management team reports to the deal team, it frees them to focus on business-related M&A activities. The risk team could consist of in-house security, IT experts, and external advisors. Risk team duties should include the following:
- Assessment of individual and collective buyer and target cyber security, including the ability to detect and respond to threats
- Identify and mitigate cybersecurity risks before deal close, including unreported or unknown data breaches
- Quantification of possible remediation costs from operational, financial, and reputational perspectives
- Use of industry-leading standards in the new company’s cyber risk program
- Development of a cybersecurity program for future operations
Cyber risk assessment typically employs a custom framework leveraging industry-leading practices, globally recognized standards, and requirements unique to the deal. The frame facilitates in-depth analysis of the target’s cyber risk, including IT governance, information security, physical security, operations, and overall risk.
The cyber team’s core methods could include onsite workshops, cyber risk profiling, and offline document and system review. A thorough examination of target history, penetration testing, meetings with key target personnel, and data center examination may be necessary to compile an accurate report.
With the knowledge gained, the risk team may decide to do a gap analysis and cyber diagnostic to discover any active or dormant threats. After completing the cyber threat assessment, the team may create a cyber risk mitigation plan.
The Top Cybersecurity M&A Risks
Dealmakers often assume cybersecurity is included in intellectual property or IT reviews. It’s not. And because every deal is different, each M&A comes with a unique set of cybersecurity risks that the risk team should uncover.
Perhaps because every deal is different, leading cybersecurity experts express different opinions about the top cyber threats that need to be addressed during M&A.
“In my opinion, the biggest cybersecurity risks today are cloud security posture and third-party software inventory and bill of materials, or SBOM. These risks impact not only product acquisitions but our ability to secure and operationalize business capabilities within Cisco.”
— Jacob Bolotin, Cisco Technology Audit Director
Five areas can all be productive possibilities for your cyber risk due diligence team to investigate. Anomalies are red flags that require deeper investigation.
Your risk team should investigate the target’s cybersecurity history by examining private internal documentation and external public sources.
- Does the target have any SOC audits, vulnerability scans, privacy impact assessments, or penetration tests performed in the last two years?
- Have they experienced any data breaches, ransomware attacks, or other cybersecurity events in the past two years?
- How did they respond to prior events?
- Are any reports available from internal or external forensics or legal sources regarding events?
Incomplete history may be an attempt to cover security breaches or expose a shoddy security system.
Missing or Incomplete Cybersecurity Documentation and Infrastructure
A document review will ensure that the correct cybersecurity foundation is in place. It should reveal a suite of documentation, including:
- Change and configuration management
- Business continuity plans
- Incident response attestations
- Hardening guides for endpoints and servers
The presence of a written cybersecurity policy and network diagram demonstrating network segmentation shows the organization is putting thought into security. A sequence of documented scans and remediation efforts demonstrates active risk management.
Internal and External Vulnerabilities
Hackers look for external vulnerabilities in internet-facing features to access critical data. Common vulnerabilities include:
- Weak passwords
- Outdated or unpatched software applications
- Poor firewall configuration
- Misattributed READ/WRITE permissions
- Lack of preparation for an incident
Unwanted visitors or company personnel can exploit internal vulnerabilities. It’s common for human resources to shift during M&A activity as businesses integrate. Losing talent creates an enormous potential for cybersecurity risks. Red flags include providing misleading or incomplete information regarding security or ongoing data breaches.
Deal Execution and Integration
Executing deal terms can bring cybersecurity risks from using warranties and indemnities, non-compliance with data regulations, and customer claims.
Integration often creates a patchwork of systems concealing vulnerabilities and risks. Dormant hackers can come to life in the buyer after being integrated with the target. A clear target operating model and a cybersecurity roadmap helps discovery and elimination.
Digital Value Creation
Value creation is undergoing a revolution that allows hackers to exploit the Internet of Things, robotics, artificial intelligence, smart technology, ecosystems, and digital systems. These solutions present an expanded cyber-attack surface and possible exposure to compromised third-party software.
“Whether we transition capabilities to run within Cisco or leave them for the acquired company to operate,” said Cisco’s Jacob Bolotin, “we must have a thorough understanding of any third-party risks that may exist in IT, in the technologies and systems used by the acquired company, or anywhere else. Especially those that may impact the broader Cisco enterprise as the new entity is integrated.”
Cybersecurity risks in M&A change with every deal. Using best practices, a cybersecurity due diligence risk team will help uncover vulnerabilities in time to mitigate risks.
Best Practices to Mitigate M&A Cybersecurity Risks
Viewing cybersecurity risks as a balance sheet liability allows you to implement best practices to mitigate them. Begin building a perspective of cybersecurity risks and possible costs from the deal’s beginning.
Quantifying liability will bring a critical understanding of financial exposure that you can factor into negotiations. You’ll also be able to transfer liability to the insurance market through warranty and indemnity or cyber insurance.
Building a Cybersecurity Roadmap
Today, every deal is a technology deal because tech pervades every aspect of business, rendering a cybersecurity roadmap an essential aspect of M&A due diligence. Your strategic cybersecurity roadmap documents both organizations’ security goals and how they will accomplish them.
Failing to use a well-thought-out and implemented cybersecurity roadmap can create friction during M&A activities, giving rise to exploitable vulnerabilities because security measures in one company may conflict with efforts in the other business; standards may also be ill-defined in one company. SWOT analysis should reveal inadequacies in cybersecurity roadmap documentation.
Your roadmap documents that proper controls are tested and continuously improving. Start by cataloging all assets and how they are protected, including IT systems and datasets. Next, document access controls and then disaster recovery, and so forth.
Managing M&A Risk and Deal Teams
The risks associated with technology aren’t going away but will continue to grow. M&A cybersecurity must keep pace. As more companies see value in acquiring, merging, and divesting, more bad actors will be attracted by the vulnerabilities presented. Cybersecurity-specific due diligence has become imperative.
M&A deals increase in complexity as technology grows and the amount of data that must be managed multiplies. Burgeoning cybersecurity risks add another layer of intricacy to navigate as you coordinate the activities of your risk team with your deal team.
Having one single source of truth that manages the many facets of M&A deals and keeps all team members informed and working together toward common milestones. You’ll be able to track each target, email, document, and more.
Configure the software to meet your specific needs with customizable lists, fields, and reports for all aspects of your deal, including security due diligence. You’ll have built-in security controlling access to each deal, while two-factor authentication, audit logs, optional single-sign-on, and data encryption protect your sensitive data at the highest level.
See Devonsoft in action and experience how it can power your strategic growth with minimal risk – Schedule a call today.