Assessing cyber risk in M&A

In mergers and acquisitions (M&A), value realization is typically top of mind. But cyber-risk is real. Considering data privacy regulations and mandatory breach disclosure laws, cyber risk exposure has the potential to significantly impact post-merger valuations. When assessing the value of a potential acquisition, acquiring organizations must factor in the cost of cyber risk as part of their deal strategy.

In 2016, a telecom provider based in the UK was heavily fined when a customer database it acquired earlier was hacked. In 2017, the price of Verizon’s acquisition of Yahoo’s internet business plunged USD 350 million after Yahoo disclosed three massive data breaches compromising more than 1 billion customer accounts.

Short-term and long-term security risks

Highly sophisticated threat actors target M&A activities because they offer the potential for short-term and long-term reward. With operations in transition, high-value data is often vulnerable. When publicly held companies are involved, the resulting media coverage can exacerbate the risk that threat actors will seize the opportunity to attack.

More than one in three executives surveyed said they have experienced data breaches that can be attributed to M&A activity during integration.

Furthermore, the data of the company being acquired/ divested may not be the ultimate target. Instead, it may serve as an expedient way to break into the acquiring company. This is an entirely different category of advanced persistent threat: one that is carried over into the newly merged company by mistake. This tactic underscores the importance of cybersecurity oversight during M&A activities.

Chief Information Security Officers (CISOs) and their teams are key to protecting the assets and brand reputation of acquirers. They should play a significant advisory role in all activities of the M&A lifecycle. All too often, CISOs learn about, or are asked to engage in, acquisitions late in the deal lifecycle. This exposes organizations to significant risk, for example, when a breach occurs immediately post-acquisition.

More than half of companies wait until due diligence is completed to perform cybersecurity assessments.  

In Q4 2019, the IBM Institute for Business Value (IBV) surveyed 720 executives responsible for the M&A functions at acquirer organizations. More than one in three said they have experienced data breaches that can be attributed to M&A activity during integration. Almost one in five experienced such breaches post-integration.

Get security experts involved early

There are several reasons why companies delay or disregard engaging security experts during M&A. In some cases, it’s attributable to inexperience with the complex M&A lifecycle. In others, there may be a desire to limit the number of people with knowledge of an impending merger. Restricting “line of sight” to a potential merger is understandable during the pre-acquisition phase; however, excluding risk and security domain experts is problematic, as security and compliance issues represent potential liabilities.

The solution isn’t cut and dry—but organizations have options. Learn about the proactive measures security teams can take to reduce cybersecurity risk throughout the M&A lifecycle.