The Importance of M&A Cybersecurity in Company Acquisitions

Mergers and Acquisitions Are Prime Targets for Cybercriminals

Mergers and acquisitions (M&A) are one of the best ways for companies to achieve their growth goals, both quickly and over the long term. By bringing another organization into their portfolio or combining their efforts, valuations soar, customer bases increase dramatically, and capabilities expand exponentially. 

Historically, M&A was intended to add to what an organization could do or achieve. Perhaps a competitor had a specific product line or service offering. By acquiring that competitor, an organization could instantly take ownership of that company’s market foothold, gain their intellectual property or service lines, and combine these with its own capabilities to command a stronger market share.

And while M&A is nothing new, the focus has now shifted from capabilities (though these are still important) to data. Virtually every organization now operates with significant amounts of data as its foundation. This data is generated en masse each and every day, but with that data and the intent to acquire or merge it with that of another company comes risks. Hackers and other cybercriminals view M&A as an ideal opportunity to breach networks; steal sensitive data; and cause all manner of legal, operational, and financial havoc. 

M&A cybersecurity incidents aren’t decreasing, either. In 2018, several high-profile companies were hacked or experienced data leaks as the result of a merger or acquisition. In each instance, hundreds of millions of accounts and files were compromised. According to a recent Donnelley Financial Solutions/Mergemarket survey, 80% of global dealmakers said they’ve uncovered data security issues in at least one-fourth of their M&A targets in the previous two years.

When incidents like these occur, it can have a significant impact on the terms of the deal, particularly for the target — i.e., the company being acquired. When it comes to acquisitions in particular, the goal of the target is to maintain a certain valuation. This is a goal for the acquirer as well, particularly because the target can influence the acquirer’s stock price and more. But if the target experienced a security breach in the past, or was still in the process of recovering from one, their valuation — and that of the acquirer — can quickly suffer.

For example, Starwood — a major international hospitality organization — was acquired in 2018 by Marriott International. Just a few days after they announced the acquisition, Starwood disclosed a security breach leading back to 2014 in which more than 500 million guests were impacted, resulting in credit card data, passport numbers, loyalty program accounts, and more were all compromised. The result? A 5.6% decrease in Marriott’s share price and, at the time, a potential $200 million fine. 

When Yahoo Was acquired by Verizon in 2017, they disclosed two previous data breaches (500 million accounts and more than one billion accounts respectively), which resulted in the company’s sale price being reduced by $350 million! While the acquisition moved forward, determining how to manage the resulting risks and liabilities was no easy feat — a variety of negotiations and legal parameters were put in place to minimize Verizon’s involvement.

Effective M&A Cybersecurity Starts Earlier Rather Than Later

For many organizations, the decision on when to start a proper cybersecurity posture assessment (i.e., where a company stands in terms of their cybersecurity health) and determination of potential vulnerabilities isn’t always crystal clear. It makes sense to start the process as early as possible, but unfortunately, not every organization — even those that are actively involved in mergers and acquisitions as part of a long-term growth strategy like private equity firms — are able to start as early as they’d like. 

Oftentimes, resources are the leading constraint. A study conducted by Forescout Technologies in early 2019 revealed that only a third of respondents felt they have sufficient time to conduct a cybersecurity assessment of the target’s processes and protocols before their company had moved on to the next acquisition. Among information technology decision-makers (ITDMS), only 37% felt that their teams had the necessary skills to conduct such an assessment.

But when it comes to timeline, this same study revealed that one-third of respondents started their M&A cybersecurity assessments in the late pre-deal phase, with another third starting the process in the pre-announcement and post-announcement phases. For the latter third, the risk of an existing incident being found as well as a new incident occurring increased dramatically, simply because the target’s technology was not reviewed earlier. Slightly less than 40% of respondents said they started the assessment in the M&A strategy step, which is an earlier portion of the pre-deal phase — and the best time to start.

With more and more organizations using M&A as part of their growth strategy, it’s more critical than ever to start this process as early as possible. However, it’s important that M&A cybersecurity assessments continue on well past the pre-deal stage into the integration and post-integration stages. In these phases, the truth of a target company’s cybersecurity strategy and practice will be brought to light — and the acquirer must be prepared to not only address any problems it encounters but also to prevent them from becoming problems in the first place.

In our next post on M&A cybersecurity, we’ll explore six categories that acquirers should consider in the due diligence process. By paying close attention to these six categories, acquirers and their counsel teams can ensure that the acquisition agreement has the most accurate picture possible of the potential cyber risks and vulnerabilities present or that might threaten a target’s security — and subsequently their own.

If M&A is On Your Radar for This Year, Let’s Talk

If your organization is considering acquiring one or more companies this year, or if you’re considering a merger, Inversion6 can assist you in conducting a complete cybersecurity assessment. We’ll help your teams identify potential threats and vulnerabilities present in the target’s systems and develop a plan of action to mitigate those risks. Fill out the form below to get in touch with one of our chief information security officers.