Among the riskier activities enterprises can undertake are merging with or acquiring other businesses—and not just for the financial considerations involved. Mergers and acquisitions (M&A) present a number of cyber security risks that might not even be on the radar screen when merger discussions first begin.
A prime example of cyber security risk with such a transaction comes from the recent acquisition of Yahoo Inc. by Verizon. In September 2016 Yahoo announced that a recent investigation by the company had confirmed that a copy of certain user account information was stolen from the Yahoo’s network in late 2014. Some referred to the incident as one of the biggest data breaches of all time.
Based on the investigation, the company said it suspected that information associated with at least 500 million user accounts was stolen. At the time, Yahoo was in the midst of being acquired by Verizon. The deal was eventually completed in June 2017, but news of the data breach led to some speculation about whether the transaction would go forward.
Data breaches and other attacks by cyber criminals can happen to companies at any time. When it happens during a merger or acquisition, however, that can complicate things significantly.
There are other considerations, such as what are the security postures of both organizations involved in the transaction, and how well do they mesh? What are the security risks of employees who lost their jobs because of the transaction? What happens to the security staffs of each company once the merger or acquisition moves toward completion?
It’s clear that cyber security is an issue for companies when it comes to mergers and acquisitions. For instance, according to a 2017 study by West Monroe Partners’ M&A practice, which focused on M&A activity in the software industry, cyber security weighs heavily on the minds of investors.
For the study, West Monroe commissioned Mergermarket, a business development and market intelligence tool designed specifically for the M&A sector. Mergermarket surveyed 100 senior global executives in the first quarter of 2017, and found that cyber security continues to be an issue for software M&A, both in due diligence and post-close. More than half of respondents (52%) report discovering a cyber security problem after a deal closed, and far more said they have been displeased with past experiences conducting due diligence in cyber security (16%) than into either a target’s technology (1%) or operations (1%).
Cyber security was the number two reason software M&A deals were abandoned, and the second most-common reason buyers regretted a deal, the report said. Respondents said the top three reasons that deals fail are cyber security concerns (23%), financial and tax issues (23%), and problems with compliance (18%).
The most anxiety appears to come after the deal is done, the study said. Two in five respondents said problems during post-merger integration (41%) is their main worry when thinking about issues related to cyber security.
The challenge of managing cyber security risks with a merger or acquisition becomes even greater when you take into account the widespread shortage of skilled security professionals.
Companies involved in these transactions need to consider several best practices to help address the security risks.
For a company that’s considering acquiring another business, among the first steps as part of due diligence is to thoroughly examine and understand the security posture of the organization it’s planning to acquire. That includes looking at things such as pending claims and reported breaches, as well as any cyber security deficiencies that might be present.
Acquiring or merging companies need to do a thorough audit of all security policies and procedures in place and meet with the executives who are responsible for security, in order to gain greater insights into the degree of sophistication of the organization’s security program.
Another good pre-acquisition practice is to gather cyber security intelligence by leveraging a third-party and conducting a security questionnaire with the IT security staff of the target company. One of the goals of doing this is to identify the most strategically important information assets the company has, such as intellectual property and customer data, and to find out where that information is kept and how it’s being protected.
Also important is ensuring that the company has proactive employee communications in place regarding threats such as malware, ransomware, and phishing.
In an acquisition, the acquiring company needs to take action to remediate any discovered vulnerabilities, and evaluate the security policies of both companies to find any gaps that must be addressed. With a merger, the companies should each evaluate and compare their security programs and make any needed adjustments.