Steve Durbin is Chief Executive of Information Security Forum. He is a frequent speaker on the Board’s role in cybersecurity and technology.
getty
When a private equity firm had acquired a midsized manufacturer late last year, little did they know that someone else had set on the same target as well. Just two months after it was purchased, a cybercriminal organization launched a crippling ransomware attack that locked up the manufacturer’s systems. The acquirer eventually paid $1.2 million to have their systems released, a risk they did not account for during the M&A process.
When buying a company, remember that you are taking on new cyber vulnerabilities and risk.
Similar to financial debt and liabilities, when an acquirer buys a company, they are essentially assuming all cyber vulnerabilities and the entire risk profile of the business. A single miscalculation or underestimation of cyber risk can lead to severe consequences like erosion of share price, loss of reputation and exposure to lawsuits and investigations. For the seller, any leak in financial or customer information, intellectual property or confidential data can make them lose their competitive advantage, reduce the company’s valuation (recall Yahoo-Verizon) or eventually become a deal breaker (trigger a MAC provision) in the process.
While it’s typical for potential investors to assess financial, legal, operational and reputational risks, data shows that less than 10% of deals involve scrutiny of cybersecurity practices. To top it off, the FBI has warned that opportunistic cybercriminals have been going after M&A deals. M&As are considered low-hanging fruit: People are distracted, there’s big money involved and integration of people, processes and technology can expose exploitable loopholes.
Always perform a cybersecurity assessment before completing an M&A deal.
On the upside, Gartner predicts that 60% of organizations will see cybersecurity risk as a primary deciding factor in third-party transactions by 2025. This is because cyber diligence favors both buyer and seller. For the buyer, a $50,000 assessment can potentially save $5 million of risk exposure or loss of IP. Additionally, it can also provide better visibility of the cybersecurity-related costs that the acquirer might incur during integration. Such insights help buyers view a fuller picture and negotiate better terms of acquisition. For the seller, performing a risk assessment in advance helps fix problems before they come to the attention of the buyer, provides a third-party endorsement and instills greater confidence in valuation estimation.
Bring your chief information security officer into the deal negotiations.
It’s common for CISOs to be left out in the cold when a deal is being negotiated. IBM attributes two main reasons for this: the inexperience of security teams with the M&A life cycle and the need to keep the number of people with knowledge of the transaction at a minimum.
Security leaders must learn to speak the language of the business. When CISOs form meaningful relationships with other business leaders, they have a chance to participate in the conversation early. The idea is not to push one’s own agenda but instead offer observations and recommendations that add value to the deal.
For example, during the pre-acquisition phase, it’s common for businesses to think of cybersecurity as something that can be dealt with at a later point in time. However, this phase is when information leaks, speculations rise and competition gets alerted.
Consider security throughout all stages of the acquisition process.
Security can play a major role during the closing and the post-acquisition process as well. When due diligence kicks off, security leaders can dish out a list of high-level security questions that are tailored to the target’s infrastructure. This can offer an initial view on the overall security posture, allowing them to determine if more scrutiny is necessary.
The integration phase is the point when security teams become responsible for the acquired entity. This is where security leaders can help establish new procedures and policies for the newly merged entity. In post-acquisition when the buyer assumes full risk, certain systems may not be fully integrated yet, so there might be a number of weak spots in the business. Cybercriminals have now read the PR and are aware an integration is underway. There is also heightened internal risk posed by disgruntled employees.
Sixty-five percent of companies experience regret in making an M&A deal due to cybersecurity concerns. This is likely due to the fact that more than half of companies wait to perform any cybersecurity audits until after due diligence is performed.
Set the stage for M&A security best practices.
Security leaders must ideally engage early so that they get an opportunity to influence decisions and outcomes as soon as possible. Remember, risk assessment must be carried out throughout the M&A life cycle—right from target screening to due diligence, pre-integration planning and eventually through full-scale integration. Don’t forget to keep a watchful eye on security red flags such as missing or weak documentation, security practices or procedures, absent audit history, poor inventory and application tracking, lack of architectural discipline, signs of poor or weak integration and adherence to compliance and security frameworks. If something doesn’t appear right, it probably isn’t and should be flagged to your executive team immediately.
Security responsibility doesn’t end at integration. Once the acquisition is complete, ensure you continue to streamline security tools and processes and continue to reinforce the importance of being secure and vigilant to your employees, suppliers and business partners. This will not only help create a foundation for trust and transparency between the newly integrated ecosystem but also set the stage for future M&As.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
