Mergers and Acquisitions (M&A) are a popular strategy for companies looking to expand their footprint and increase opportunities. The total number of M&A deals from June 1, 2020 to June 30, 2021 was 16,672. That was up from 13,446 the twelve months prior. There are many reasons for companies to pursue M&A strategies such as achieving greater economy of scale, attaining greater market share, geographical diversification, or the acquisition of new technology. However, its also important to remember that when you acquire or merge with another company, you get the bad along with the good. Just like any relationship, there is baggage that each party inherits. In terms of security, an acquiring company inherits any existing cybersecurity vulnerabilities, incidents, and resulting liabilities along with the beneficial assets that are being purchased. In a digitally connected world in which cybersecurity incidents continue to garner the headlines, a targeted company with a history of not prioritizing its security responsibilities can end up creating problems for the acquiring company. Sometimes that baggage can outweigh any potential perceived benefit.
Cybersecurity Audits are now Standard Practice for M&A Transaction
M&A transactions can take months or even years to complete. One reason is because it’s essential that the initiator of the deal perform their due diligence to gain a complete understanding of the target organization. You need to know what you are getting into. This includes a cybersecurity audit to identify the security controls and intrinsic vulnerabilities of the target enterprise. An undiscovered data breach can not only cripple the deal but might introduce potential liability that involves both a financial burden and/or reputational damage. Some of the questions that need to be answered in an audit include:
- Does the target company conduct regular risk assessments, vulnerability scans, and penetration tests of its systems?
- Does the target company have a documented cybersecurity strategy that is enforced from the top-down and across the entire organization?
- Does the target company have a written Incident Response Plan (IRP) that is regularly tested and rehearsed?
- Has a recent compromise assessment been conducted on the target company to identify any vulnerabilities?
- Does the target company have a recent security architecture review to assess the strength of their infrastructure?
- Does the target company have a program in place to train its employees on privacy and security best practices?
According to a recent (ISC)2 study on M&A and Cybersecurity, study participants unanimously stated that cybersecurity audits have now become standard practice for M&A activity. Survey participants listed cybersecurity considerations as a major factor in determining the viability of a deal. In total, 77% reported making M&A recommendations based on the strength of an existing cybersecurity program.
A Poor Cybersecurity History Can Tarnish a Deal
Just like a poor credit history can come back to haunt someone that is seeking a mortgage or personal loan, a company’s cybersecurity history can negatively hamper M&A interest for years to come. According to the mentioned study, half of the survey respondents agreed that the discovery of previously undisclosed breaches would derail a deal.
As an example, the acquisition of Yahoo by Verizon back in 2017 for $4.48 billion nearly fell through due to two data-breach incidents that occurred during the negotiations. The first attack involved the personal data of some 500 million users and included unencrypted passwords. Login credentials and personal information were also compromised for nearly 1 billion users in the second attack. In the end, Verizon chose to go ahead with the deal at a reduced purchase price. In the end it proved a costly inheritance that reduced the intrinsic value garnered by the deal.
Another example involves the former acquisition of the luxury department store chain Nieman Marcus. On October 25, 2013, a Canadian group completed an acquisition of the retailer. What they didn’t know was that a cyber incident had taken place as early as July 16, 2013, in which malware was injected into the company’s payment-processing system. The incident would eventually compromise the data of 350,000 customer payment cards. Nieman Marcus became aware of the fraudulent use of those payment cards on December 17, 2013. On January 10, 2014, it publicly disclosed the incident. In 2017, it eventually paid $1.6 million to settle a class-action lawsuit filed on behalf of those whose card information was exposed.
Cybersecurity Can be an Acquired Asset
It is important not to view cybersecurity as a liability in terms of M&A activity. In the mentioned study, 95% of survey respondents considered cybersecurity programs as a tangible asset while 63% considered security tools to be general assets. Assets include a company’s cybersecurity infrastructure, risk management policies, and training programs. In fact, 82% stated that the stronger a company’s cybersecurity infrastructure is, the higher assessed value of the organization. With 50% of companies being impacted by ransomware in 2020 according to a Cisco study, it is understandable why a company’s cybersecurity expertise can be highly valuable to many other companies today.
What Cybersecurity Due Diligence Involves
The occurrence of a cybersecurity incident doesn’t necessarily deter a merger or acquisition. The way a company dealt with a cybersecurity incident proves far more important. How the company handled the aftermath of the breach and what they did to fix the vulnerabilities is far more important in the end. If a breach is discovered during an audit or is known to have occurred prior, it is critical to know what data the attackers had access to and what data was viewed or exfiltrated. One must assess how the breach occurred and whether the company performed its duty of care in attempting to prevent such an attack in the first place. A company may be held liable for an attack that it could have prevented had it taken appropriate measures that are deemed to be reasonable.
The good news is that you don’t need to wait for litigation to define what is reasonable security for your organization. An outside partner can perform a risk assessment using Duty of Care Risk Analysis (DoCRA) to determine that during the M&A evaluation process. HALOCK can fully evaluate the inherent risks of a proposed acquisition and determine the effectiveness of the current security controls, policies, and strategies to secure the target organization’s assets. We can discuss an independent review of your security profile and that of future mergers to help you make informed decisions.
HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.