By David Monnier, Chief Information Officer, Chief Evangelist, at Team Cymru
So your company is embarking upon an M&A. Have you assessed your cyber risk yet? M&As are an integral part of business growth across all sectors. But too often organizations don't consider assessing the cyber risk of the company they're acquiring, or they wait until after the deal has closed. Only then do they learn about undisclosed data breaches or a lack of security practices that they've now inherited, increasing their financial, compliance, and reputational risk.
Assessing the cybersecurity risks of an acquisition early in the process can save millions of dollars in avoided data breach costs, and provide awareness around the risk you're inheriting. Here are some of the reasons why it's crucial to assess your cybersecurity risk and ways to ensure that you're doing your due diligence around cyber risk before your M&A.
Why Proper Cybersecurity Measures are Critical for M&A
Unknown security risks can pose a challenge for acquiring companies, from simple headaches to introducing massive risk and fines. When Marriott acquired Starwood in 2016, they didn't realize they were inheriting a data compromise that happened in 2014 and that wasn't discovered until 2018, which exposed 339 million guest records and incurred them a $123 million fine. During Verizon's acquisition of Yahoo, Yahoo disclosed data breaches that compromised over 500 million users' information. Due to that risk, Verizon's deal price dropped $350 million. Ultimately, 53% of organizations say they've encountered a cybersecurity issue during an M&A that put the deal in jeopardy.
Why should you make cybersecurity a priority in M&A?
1: Strengthen your position when negotiating
One of the smartest tactics to approach negotiations is to equip your M&A team with the most complete view of risk that includes cyber risk. Any information that positions the target M&A candidate as weak or vulnerable to cyber threats, or higher than normal risk compared with their peers, provides a significant and strong position to negotiate down the overall value. This drives value for investors and key stakeholders,
2: Reduce acquired risk
The biggest reason to properly assess the cybersecurity practices of the company you're acquiring is to reduce your own risk. Performing a thorough assessment of how the target company keeps its assets and data secure means you have a better understanding of the risk you're bringing into your organization. Assuming their vulnerabilities increases your risk of compromise — and the costs associated with it.
3: Compliance requirements
Another reason is to ensure the target company is adhering to legal and regulatory requirements related to data privacy and security. This can help identify any compliance gaps, help prevent regulatory fines, and can further inform the risk the acquiring company is absorbing, ensuring that the target company is in compliance with all relevant laws and regulations before the deal is closed.
4: Brand reputation
Finally, there's brand reputation impact that comes with acquiring a company that has had a data breach in the past, or that has practices that will put the acquiring company at risk for a data breach in the future. In the aftermath of a cyber attack, customers, investors, and regulators may lose confidence in the company's ability to protect sensitive data, leading to a decline in market value, loss of revenue, and damage to brand reputation that could take years to recover from.
Cybersecurity Assessment in the M&A Process
Integrating cybersecurity due diligence early into the M&A process can help you better understand the risk the target company is bringing to your company. Here's how to make cybersecurity assessment a key part of your M&A strategy.
Acquiring companies should begin the cybersecurity assessment process as early as they can, even when initially screening for target companies. Unfortunately, only 5% of organizations perform their cybersecurity assessment pre-acquisition, and 57% perform it while the transaction is being completed or post-acquisition. Many organizations are not exploiting the low effort and low impact methods of gaining critical risk insights on target M&A candidates. These can include outsourcing passive asset and vulnerability discovery to a third party platform to quantify the overall size and scale, then measure the level of risk. Starting the process early allows business leaders to better assess the risk associated with the M&A overall, which may impact the valuation.
When it comes to what to review, investigate the following areas to gain more insight in their security practices:
Policies and procedures: What policies and procedures are in place that prescribe how they protect their environments? Knowing the policies that both the security team and the broader organization follows can help create a more comprehensive picture of risk across the organization.
Cloud security: Evaluate the security of all cloud-based infrastructure or services used by the target company. This is especially critical as partial migration may result in hybrid environments that need to be managed.
Cybersecurity incident response plans: Next, evaluate the incident response plans the organization has in place, and if that plan satisfies any framework requirements for a CIRP. Is the incident plan a thorough response to attack, or is it outdated? More importantly, if it's been used, was it sufficient?
Third-party vendors and partners: There's an increasing number of security incidents that are happening through vulnerabilities in third-party resources. Assess your target company's third-party relationships to see if they've properly assessed the risk, and how much control they have over the relationship.
Review past cybersecurity incidents and breaches, if any: Any acquiring company needs to know about any past security incidents that may have compromised sensitive information. Unfortunately, many M&As are closed without knowing what data and assets have been put at risk in the past, which could compromise the future.
Research historical attacks on target competitors or peers to assess adversary profiles: Get to know the type of adversary that has attacked the company you're acquiring or those like it. If their profile is different from those that typically go after your organization, you can anticipate how you'll need to expand your threat profiling in the future.
Finally, once you assess the cybersecurity practices and risks of your target company, you can quantify those risks and develop a plan to mitigate them. This plan may include developing a cybersecurity integration plan for the target company or renegotiating the deal terms to account for the identified risks, creating more opportunity for saved dollars.
Cyber Due Diligence Today
Assessing the cybersecurity risks of an acquisition early in the process can save millions of dollars in avoided data breach costs, and provide awareness around the risk you're inheriting. Start your cybersecurity due diligence process early in the M&A cycle to make sure you’re reducing risks and getting the best deal possible.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.