Cybersecurity in M&A 


A Growing Priority for Decision Makers


In the dynamic landscape of mergers and acquisitions (M&A), decision-makers are increasingly prioritizing cybersecurity risks. 

A detailed survey by Forescout provides key insights into the current state of cybersecurity in mergers and acquisitions, the survey that involved nearly 3,000 IT and business decision makers reveals a growing emphasis on cybersecurity in M&As. 

The study found that 81% of respondents now prioritize a target's cybersecurity posture more than in the past with 62% agreeing cyber risk is their biggest concern post-acquisition.

This trend highlights the recognition of cyber risks as potential deal-breakers, capable of causing significant financial and reputational damages.

" Take the Verizon acquisition of Yahoo in 2017 as an example. Following Yahoo’s security breach disclosures, there was a $350 million acquisition price cut."

The study highlights this shift, noting the importance of continuous cyber assessment throughout the M&A process. It's no longer a one-time check but a critical, ongoing evaluation.

Key Findings


Transparency đźš« - An undisclosed data breach is a deal breaker for most companies: 73% percent of respondents agreed that a company with an undisclosed data breach is an immediate deal breaker in their company’s M&A strategy

Plan for continuous assessments 🔄 - Decision makers sometimes feel they don’t get enough time to perform a cyber evaluation. Only 36% of respondents strongly agree that their IT team is given time to review the company’s cybersecurity standards, processes and protocols before their company acquires another company. The results emphasize the importance of proper evaluation and time in ensuring successful M&A outcomes.

Acquisition Regrets🤦- 65% of respondents regret their M&A decisions due to cybersecurity concerns. Failure to address cyber risk can lead to major acquisition regrets: Nearly two-thirds of respondents (65%) said their companies experienced regrets in making an M&A deal due to cybersecurity concerns.

Integration Delays⏲️- 49% encountered unknown or undisclosed cybersecurity issues, causing M&A timeline delays. 54% reported minor delays and losses under $1 million; 50% faced major delays with similar financial impact.

Significant Lossesđź’¸ - 22% experienced losses over $1 million due to cybersecurity incidents.



Introduction
As many of you know the Schengen Agreement (Named after the Luxemburg City "Schengen" where the initial contract was signed) introduced the free flow of goods and people across the European Union. Many claim it to be on of the core backbone agreements of the European Union.

Synopsis
Germany decided to introduce border controls following the SARS-CoV-2 epidemic during  March-Mai 2020. Luxembourg has a particular situation that is best displayed via this illustration: every day over 1/3 of the entire working population enters the country via Germany, France, and Belgium to drive home in the evening thus passing these very borders every day. 



This blog post will be updated periodically as I come across new practical information and experiences. You can subscribe to my blog if you wish to be kept updated.

Updates : 
  • 24.07.2020: Added number of reported data breaches to Statistics
  • 25.07.2020: Added the Role of the DPA as captured within the GDPR and added references
  • 25.07.2020: Added the section "Parliamentary Oversight" capturing parlamentary enquiries
  • 26.07.2020: Corrected the part about getting a copy of your original complaint. In fact, I only have received parts of it and am still waiting to receive the rest.
  • 27.07.2020: Due to popular demand I added a section "Legal Procedure".

I thought it is useful for the general audience to summarise my experience working with the CNPD as a Data Subject. Aligned with many other administrative procedures in Luxembourg: they have a nice appearance at the frontend but are tilted against your interest in the backend.




RTL  published [1] an Interview (8th of July 2020)with Paul Wilmes a Full professor in "Systems Ecology" at Uni Luxembourg.

Paul Wilmes [2] is quoted as saying:

  • LU: "Et hätten ni Deeg ginn zu LĂ«tzebuerg, an deene keng Nei-Infektiounen derbäi sinn."
    EN: "There has not been a single day in Luxembourg that we did not have new infections"

    Ed. : Unfortunately, that's just a basic fact of life (and science for that matter). There won't be any day that there are no (0) new viral infections in Luxembourg. It is dangerous to think or portray the short term (or even long term) goal as having no (0) infections. That's a matter of impossibility. If interested see my prior post about some of the dynamics [3]
  • LU: "D'Zuelen schwätzen eng kloer Sprooch an d'WĂ«ssenschaft kann nĂ«mmen weider un d'Leit appellĂ©ieren, d'Mesuren anzehalen a sech testen ze loossen "
    EN:  The numbers speak a clear language and science can only continue to plead to the people, follow the measures.

    Ed. : This diatribe has 0 content that is convincing or conveying the "Why". If anything, what follows points to science not speaking a clear language.

  • LU: DĂ©i nei Fäll sinn haaptsächlech duerch Infektiouns-Cluster gedriwwen, dat heescht duerch grouss Usammlungen vu Leit. Manner an de Schoulen, mä Ă©ischter op de Partyen. Et gĂ«tt awer och sporadesch Fäll vu Persounen, dĂ©i sech am enke Kontakt mat Aneren ugestach hunn. Dat Ganzt wier ebe gedriwwen duerch sozial Kontakter
    EN: The new positive tests are mainly rooted in infection clusters, meaning a big gathering of people. It is less the Schools but more partys. There are however also "sporadic" cases of people that infected each other through close contact. The pandemic is driven through social contacts.

    Ed: We learn that the Virus prefers Partys, and the Virus dislikes Schools. We also learn that "social contacts" are the problem. It is evidently the physical distance, not social contact.
    N.B this follows right after the "science speaks a clear language" diatribe.
  • LU: Eng Tracing- App wier en effikasst Instrument, confirmĂ©iert de Mikrobiolog.
    EN: He confirms that a tracing app is an efficient/effective mechanism

    Ed:  We learn that tracing-apps are effective - although all data points to the Opposite. As an example, the Germany Corona app had over 14 million downloads. It alerted 310 people, of which we do not even know the percentage actually was that ended up being infected.
Disclaimer: I do think the Pandemic is a Problem, this series is solely looking at the state of reporting and journalism in Luxembourg. There is no intent to downplay the consequences of the Pandemic. It is, however, laughable how the Government and Press fail to communicate consistently, truthfully, and logically. Giving births to deniers as a result of losing trust.

The R number points to weeks where we will need to be cautious in Luxembourg, but it is not through such journalism that we will succeed in winning over the population to do the right thing. A totalitarian draconian political approach won't work either. Be honest/truthful, humble, try your best to be neutral and say what the things are that we/you do not know. That wins trust and that wins the reader because it is truthful. We never were in such a situation, there are a lot of known unknowns and unknown unknowns. Just say it, there is no shame in not knowing.

[1] https://www.rtl.lu/radio/invite-vun-der-redaktioun/a/1545684.html (08.07.2020)
[2] https://wwwfr.uni.lu/lcsb/people/paul_wilmes
[3] https://blog.zoller.lu/2020/07/luxembourg-press-coverage-on-sars-cov-2.html


"The amount of cases in the last 3 weeks has increased 10 fold!"  That's what I read in the article [1] published by RTL today on the 7th of July 2020. There is no indication or thoughts as to what could be the reasons for that increase and the conclusion is left to the reader.

Hoping to see press coverage that went a bit further than just relaying official statements I had a read and also opened up [2] Ben Elsen's excellent statistical analysis.

According to the article, there was apparently a 10 fold increase in the last three weeks - so let's take a look at the percentage of positive tests in that time period :



I am unable to see a 10 times increase in relative Positive Test numbers, so what can that possibly mean?



In the graph above, we can see that the number of tests have increased roughly 10 fold over the last 3 weeks aswell.

And that's what we don't call journalism my friends you cannot just communicate such numbers without any context or even attempt at explanation. This article is throwing a bunch of copied figures at the reader, without any additional insights or analysis. Worse, it leaves us with the thinking that all hell will break loose soon.

20 years ago we called that "spreading FUD" (Fear Uncertainty and Doubt). It's the self-feeding journalistic echo chamber that lets the clicks coming and the paranoia rise. It is unfortunately also what creates the very people that ignore the requirements to wear masks because they believe that everything that they read is a bunch of BS and loose trust. (In my humble opinion, such reporting  deserves that judgment).

In all fairness, the R number points to weeks where we will need to be cautious in Luxembourg, but it is not through such journalism that we will succeed in winning over the population to do the right thing. A totalitarian draconian political approach won't work either. Be honest/truthful, humble, try your best to be neutral and say what the things are that we/you do not know. The result is trust because the message is truthful. We never were in such a situation, there are a lot of known unknowns and unknown unknowns. Just say it, there is no shame in not knowing everything at 100% at this stage.


[1] https://www.rtl.lu/news/national/a/1545407.html
[2] https://donneeen.lu/covid19/overview/