Cybersecurity in Merger and Aquisitions

 

Cybersecurity in M&A 

A Growing Priority for Decision Makers

In the dynamic landscape of mergers and acquisitions (M&A), decision-makers are increasingly prioritizing cybersecurity risks. 

A detailed survey by Forescout provides key insights into the current state of cybersecurity in mergers and acquisitions, the survey that involved nearly 3,000 IT and business decision makers reveals a growing emphasis on cybersecurity in M&As. 

The study found that 81% of respondents now prioritize a target's cybersecurity posture more than in the past with 62% agreeing cyber risk is their biggest concern post-acquisition.

This trend highlights the recognition of cyber risks as potential deal-breakers, capable of causing significant financial and reputational damages.

" Take the Verizon acquisition of Yahoo in 2017 as an example. Following Yahoo’s security breach disclosures, there was a $350 million acquisition price cut."

The study highlights this shift, noting the importance of continuous cyber assessment throughout the M&A process. It's no longer a one-time check but a critical, ongoing evaluation.

Key Findings

Transparency 🚫 - An undisclosed data breach is a deal breaker for most companies: 73% percent of respondents agreed that a company with an undisclosed data breach is an immediate deal breaker in their company’s M&A strategy

Plan for continuous assessments 🔄 - Decision makers sometimes feel they don’t get enough time to perform a cyber evaluation. Only 36% of respondents strongly agree that their IT team is given time to review the company’s cybersecurity standards, processes and protocols before their company acquires another company. The results emphasize the importance of proper evaluation and time in ensuring successful M&A outcomes.

Acquisition Regrets🤦- 65% of respondents regret their M&A decisions due to cybersecurity concerns. Failure to address cyber risk can lead to major acquisition regrets: Nearly two-thirds of respondents (65%) said their companies experienced regrets in making an M&A deal due to cybersecurity concerns.

Integration Delays⏲️- 49% encountered unknown or undisclosed cybersecurity issues, causing M&A timeline delays. 54% reported minor delays and losses under $1 million; 50% faced major delays with similar financial impact.

Significant Losses💸 - 22% experienced losses over $1 million due to cybersecurity incidents.

Challenges during Cyber Security Due Diligence

Capability - IT Skills Gap 🧑💻 

Among ITDMs, only 37% strongly agree that their IT team has the skills necessary to conduct a cybersecurity assessment for acquisition.

Scope - Misalignment Issue 🔍

There's a disconnect between what is perceived as vulnerable and what is actually evaluated in new acquisition assessments.

Shadow M&A - Unaccounted Devices 🕵️

53% of ITDMs discover devices not accounted for post-integration of a new acquisition.

Device Assessment Discrepancy - Vulnerability vs. Assessment 🚨

There is a misalignment between what is considered vulnerable by ITDMs and what is actually assessed during M&A. For example, 78% believe network infrastructure like routers and switches are vulnerable, yet only 58% say these are assessed.

Missing Assets - Inventory Gaps 📦

Traditional IT (58%), IoT devices (48%), and cloud infrastructure (43%) are most likely to be missed during asset inventory. On average, companies find a vast number of connected devices unaccounted for, with some finding over 500,000, posing a risk for unnoticed malware or rogue devices. 

Human error, configuration mistakes, and vulnerable connected devices are cited as the top risk factors during information and technology integration

Cybersecurity Posture Assessment - Priority Levels 💡

Many feel that cybersecurity assessments are not given enough priority, with only 57% of firms hiring auditors for this task. When assessing cybersecurity posture, 67% look at traditional IT, followed by network infrastructure (63%), and OT (55%). 

Operational Technology (OT) Concerns - Overlooked Risks ⚠️

Although 73% consider OT as most vulnerable and 55% actually assess it, 47% report that OT assets are most likely to be missed during inventory.

Key Takeaways

Don't start too late ⏳ 

The phase of the M&A cycle when cybersecurity assessments begin is critical for several reasons. Early Detection of Risks: Starting early, such as during the strategy or target screening phase, can identify potential cybersecurity risks before proceeding further, Due Diligence: Comprehensive due diligence requires a thorough understanding of the cybersecurity posture of the target company. Late assessments may not provide enough time for this. Integration Planning: Identifying cybersecurity issues early can inform the integration strategy, helping to ensure a smooth transition and integration of systems and data.

Indeed, the survey results indicate that only 6% wait until the integration phase to assess, but the results also suggest that many view the cyber assessments as a point-in-time exercise rather than continuous cycle throughout the M&A.

• 38% initiate cyber assessments at the M&A strategy creation phase.
• 33% begin assessments during the target screening phase.
• 22% start during the due diligence phase.
• Only 6% wait until the integration phase to commence cyber assessments

Contractual Safeguards 📝: Incorporate contingencies and clawback clauses in M&A contracts to cover unforeseen cybersecurity risks and allow for the termination of a deal if due diligence uncovers misrepresentations.

Comprehensive IT Training 🎓: Provide in-depth training to IT teams to equip them with the necessary skills to identify and manage M&A-related cyber threats.

Allocate Funds for Cybersecurity Audits 💰: Ensure adequate budget allocation for external cybersecurity audits, which can prevent costly surprises in the long run.

Asset Management & Inventory Focus 📊: Maintain a robust inventory of all assets to fully understand the cyber risks they may pose. This should be a standard practice to reduce cyber risks during M&A.

Thorough Audits by Internal & External Teams 🔍: Encourage internal audits and bring in third-party auditors when necessary to ensure comprehensive due diligence is met.

Enhanced Cybersecurity Controls 🔐: Implement advanced controls to protect your organization, considering identity verification, risk management, and data integrity.

Variability in Cyber Assessment Practices 🔄

Despite this increased focus, there is notable variability in when organizations commence their cyber assessments. Some begin at the strategy creation phase, while others delay until due diligence or even the integration phase. This inconsistency points to a lack of standardized practices in cyber risk assessment during the M&A.

The Need for Continuous Evaluation 🔍

The article underscores the importance of continuous cyber risk evaluation throughout the M&A process. This approach ensures that emerging vulnerabilities are identified and addressed, safeguarding the acquisition against unforeseen cyber threats. The article argues for an early start to the due diligence process, emphasizing thorough evaluations to uncover risks and potential areas of concern.

Conclusion

The insights from Forescout's study and the evolving M&A landscape signal a clear need for standardized and proactive cybersecurity measures.  Integrating robust cyber assessments from the onset of M&A discussions is not just a strategic move but a necessity to ensure the long-term success and security of the acquisitions.