Why Cyber Risk Should Be a Top Consideration During Mergers and Acquisitions

essidsolutions

Many factors can impact the mergers and acquisitions (M&A) process, but companies need to focus more proactively on acquisition targets’ cyber hygiene. In a recent surveyOpens a new window , 90% of dealmakers indicated cyber breaches could reduce the value, and 83% said it could be a potential deal-breaker. Chris Hetner, an expert advisor to the Institute for Defense Analyses, stresses why organizational leaders must view cybersecurity as a tangible asset that affects the integrity of investment.

Senior leaders often struggle to express the business and economic risks associated with cyber hygiene. As recently as March 2020, the US Cyberspace Solarium CommissionOpens a new window recommended an update to the Sarbanes-Oxley Act (SOX) that would establish more accountability for senior leaders related to the health of their cyber program. It states that regulated, publicly traded companies should be compelled to “harmonize and clarify cybersecurity oversight and reporting requirements.” Specifically, the report noted that the update should include the following four points:

  • Define “information system” 
  • Specify corporate responsibility
  • Mandate document retention 
  • Require management assessments and attestation 

If enacted, this amendment would effectively enhance corporate accountability, significantly impacting due diligence conducted during the M&A process.

Costs Associated with Underlying Risks

The World Economic Forum estimatesOpens a new window that cybercrime could cost the global economy as much as $6 trillion in 2021. While this number encompasses losses spread across the globe, a single organization’s negative financial outcomes can be devastating. One well-known data breachOpens a new window , arising out of M&A, cost the acquiring company an estimated $28 million in expenses and incurred more than $120 million in regulatory fines. When evaluating acquisition targets, it is critical to purposefully and thoroughly factor cybersecurity risk into the equation to prevent consuming an already compromised or breached entity. 

Business interruption

Modern business models leverage hyperconnected technology platforms, which, if compromised, can lead to business interruption. For example, a ransomware attack or Distributed Denial of Service (DDoS) attack can cause downstream business disruption for a manufacturer producing widgets or a financial services institution trading or reconciling financial transactions. These digital business disruptions impact contractual legal obligations and counterparty obligations as the company can no longer deliver business outcomes. M&A teams need to extrapolate cybersecurity risk across the business outcomes. 

Intellectual Property Theft

Technology companies often acquire organizations whose intellectual property enhances their current offerings. If a malicious actor – insider or otherwise – siphons intellectual property from the acquisition target, this undermines the competitive advantage the acquiring company hoped to gain from the purchase. Intellectual property may represent a significant aspect of an acquisition’s value, so assessing its potential vulnerability is a critical part of the M&A process.

In fact, as per the SEC 2018Opens a new window Cybersecurity Disclosure Guidance, companies are expected to understand and highlight risk factors associated with mergers and acquisitions. This level of due diligence and disclosure provides transparency to the investor community on the companies’ cyber risk management practices.  

Learn More: Why Cyber Risk Management Is Key To Uncovering Security Holes in Your Network

PII Leakage or Loss 

While often considered on the existential level, personally identifiable information (PII) remains a tangible, financial business risk. Stolen or leaked PII might include social security numbers, names tied to email addresses, or even IP addresses tied to users. Leakage or loss of this information poses two distinct financial risks. First, the acquiring company will inherit the data breach costs post-purchase. Second, regulations that enable class action lawsuits increasingly incorporate personal liability for senior leadership and Directors. 

The California Privacy Rights Act (CPRA), formerly the California Consumer Protection Act (CCPA), leaves the door open to civil lawsuits for privacy violations. Additionally, shareholder lawsuitsOpens a new window are starting to allege that directors and officers breached their fiduciary duties by failing to implement appropriate security controls. To protect their organizations and themselves, M&A teams need to assess cybersecurity risk proactively and aggressively. 

Companies should strive to reduce financial exposure by enhancing M&A cyber risk due diligence. As organizations build out modern M&A teams, security experts must have a seat at the table and a voice in the discussions as early as possible. As organizational M&A teams factor cybersecurity into their thought process, they can take several actionable steps to protect themselves and their organizations. 

Learn More: PAM vs. CIEM: Cloud Shift Offers an Opportunity to Rethink Access Management

Set a Look-back Period

According to the IBM 2020 Cost of a Data Breach ReportOpens a new window , companies took an average of 280 days to identify a data breach. This means that the M&A team needs to think carefully about what data security incidents an acquisition target knows about and the incidents it may have yet to discover. A conservative estimate for this type of “look back” period would be five years. As part of managing cybersecurity risk, an M&A team needs to consider more than just today’s cybersecurity posture and understand the historical maturity.

Create Cyber Hygiene Benchmarks

Setting cyber hygiene benchmarks directly relates to the idea of setting a look-back period. All organizations will experience some type of data security incident, whether it makes headlines or not. Understanding how an acquisition target has matured its program provides visibility into its approach to security. Some considerations include:

  • How does its current cybersecurity risk management compare to five years ago?
  • How is it performing relative to peers?
  • Is there a CISO?
  • What is the proximity of the CISO to the CEO?
  • What is the Board of Directors’ level of engagement?
  • Is there cyber expertise at the Board level?
  • Were there material cyber incidents?
  • What was the root cause?
  • Did they fix the problem? 
  • Did they learn from their mistakes?

Unsatisfactory answers to these questions (or the inability to answer them) may raise serious red flags.

Engage an Independent Third-party

Independent third-party visibility into risk can come from different resources. At the initial review stage, security rating platforms leverage publicly available data from across the internet to surface risk. In January 2021, the Cybersecurity & Infrastructure Security Agency (CISA)Opens a new window noted, “security ratings ha[ve] driven cyber risk quantification as a way to calculate and measure cyber risk exposure.” As the M&A process progresses, both the acquiring company and the acquisition target should want to engage penetration testing teams. For the acquiring company, this provides valuable technical information. For the acquisition target, this enhances their negotiation stance–assuming they have a robust security program. 

Learn More: Want to Stay on Top of Cyber Threats? Try Thinking Like an Attacker

Parting Thoughts 

Cyber risk must be considered when acquiring companies, but that doesn’t mean that organizations need to be perfect.  A company may be willing to accept or transfer a cyber risk, but the negotiation process needs to integrate those decisions. A company might refuse to acquire a target until it closes certain cybersecurity gaps, or it might include a contract provision requiring the acquisition target to be responsible for any realized events. Organizations need to mature their M&A processes in alignment with their security programs at every step of the deal process, from the moment they begin conducting due diligence to the moment they finalize the contract provisions.

Did you enjoy reading this article? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA