Prioritizing Cybersecurity and Privacy in M&A Deals

M&A transactions provide advantages for both buyers and sellers. Such transactions can empower both parties to forge stronger, more resilient business entities. Companies engaged in mergers, acquisitions, or any form of M&A activity must adeptly assess cybersecurity prerequisites that might impact the business strategy and future risks of the resulting entity.  

However, a complicating factor is, people make mistakes. In fact, mistakes help us grow and learn but mistakes can also allow illicit access to a company’s valuable data resources—especially regarding internet technology (IT), privacy, and cyber security. Depending on who is doing the research, human error is the root cause of 80-95% of cyber security breaches. Yet in mergers and acquisitions (M&A), cybersecurity and privacy considerations often take a back seat to valuation and synergy expectations.  

Recent studies, including an IBM survey, have highlighted the significant impact of cybersecurity breaches during M&A activities. Shockingly, one-third of executives surveyed reported experiencing data breaches due to M&A-related activities. Half of companies still wait until after conducting due diligence to address cybersecurity concerns, leaving a window of opportunity for hackers which can drastically impact valuations. 

In 2017, Verizon slashed $350 million from its acquisition deal for Yahoo’s operating business due to the revelation of two significant data breaches affecting all three billion user accounts.  

Initially, Yahoo stated that only over one billion accounts were compromised. Eventually, Verizon acquired the company for $4.48 billion. 

To address this vulnerability, it is crucial to shift the mindset surrounding cybersecurity in M&A transactions and view it as a balance sheet liability. Many companies have suffered substantial losses from cyber infiltrations during M&A deals, leading to short- and long-term consequences. Therefore, it is imperative to address potential exposure early in the deal evaluation process. 

One effective strategy for managing cybersecurity risks in M&A transactions is to conduct thorough cyber due diligence. This involves examining cyber risks, hidden costs, and operational vulnerabilities before finalizing the deal. Comprehensive cybersecurity diligence reports can reveal critical issues such as cybersecurity risks, vulnerabilities, IT hygiene concerns, and attack surface exposure, providing valuable insights for investors and deal teams. 

Following are three crucial areas that can significantly impact the value and success of M&A transactions: vulnerability testing, supply chain security, and data management. 

Vulnerability Testing: Uncovering Digital Weaknesses 

Vulnerability testing is akin to securing a house with multiple entry points. Businesses must assess their open-facing Internet protocol (IP) addresses for potential vulnerabilities in the digital realm. These addresses, often overlooked, can serve as gateways for threat actors to exploit. Companies can identify weaknesses and implement necessary patches or upgrades to mitigate risks by conducting thorough vulnerability tests. Neglecting such tests can have financial implications, as evidenced by a recent case where a lack of penetration testing impacted a company’s earnings and subsequent valuation in an M&A deal. 

Supply Chain Security: Assessing Third-Party Risks 

The supply chain extends beyond physical goods and includes IT vendors and cloud services crucial for modern business operations. Recent high-profile breaches, such as the Verizon-Yahoo acquisition, highlight the importance of vetting vendor relationships and assessing their security protocols.  

Even companies not operating at the scale of Verizon or Yahoo are vulnerable, as evidenced by breaches affecting payroll processing or customer service platforms. Furthermore, the supply chain encompasses third-party services like eDiscovery platforms, whose compromise can have far-reaching consequences. Understanding and addressing these risks are essential for buyers and sellers in M&A transactions. 

Data Management: Navigating Regulatory Complexities 

Data management presents complex challenges, especially with the proliferation of cloud services and diverse regulatory frameworks. Understanding where data resides, its sensitivity, and ownership rights are paramount. Compliance with regulations such as GDPR is crucial, particularly for companies operating across international borders. Failure to comply can result in significant financial liabilities, impacting a company’s valuation. Additionally, not all data is equal, with varying definitions and regulatory requirements across jurisdictions. Adopting initiative-taking measures like data minimization and compartmentalization can enhance security and mitigate risks associated with data breaches. 

Building a dedicated cyber risk management team within the deal team can significantly enhance cybersecurity efforts during M&A transactions. This team, comprising in-house security experts, IT professionals, and external advisors, can assess the buyer’s and target’s cybersecurity posture, identify, and mitigate risks, and quantify possible remediation costs. By leveraging industry-leading standards and frameworks, such as those recommended by the National Institute of Standards and Technology (NIST), the cyber risk management team can develop a comprehensive cybersecurity program tailored to investigating the above three key areas of concern balanced with the needs of the combined entity. 

According to BlackBerry, between March and May 2023, threat actors unleashed an average of 11.5 attacks per minute. Moreover, in 2022, a report published by SonicWall indicated malware saw a rapid resurgence from its seven-year low in 2021, climbing to a staggering 2.8 billion attacks. 

Assessment is only the beginning 

Due diligence on cyber risk must continue after the assessment phase. It is essential to continuously monitor and manage cybersecurity risks throughout the integration process and beyond. This includes implementing granular identity and access management controls, hardening perimeter security, revising security processes, and cybersecurity training. Investing in automated risk management services and cybersecurity awareness programs can provide ongoing support for managing cybersecurity risks effectively. 

Furthermore, addressing cybersecurity risks in M&A transactions requires a proactive approach to risk mitigation. Viewing cybersecurity risks as balance sheet liabilities enables organizations to implement best practices for mitigating these risks from the outset. This includes building a strategic cybersecurity roadmap that outlines security goals and implementation strategies for both organizations involved in the transaction. Additionally, managing M&A risk and deal teams requires close coordination between cybersecurity experts and other stakeholders to ensure that cybersecurity considerations are integrated into all aspects of the deal. 

Prioritizing Security Readiness 

Cybersecurity and privacy considerations are integral to modern M&A transactions. By prioritizing IT preparation, conducting thorough cyber due diligence, and implementing proactive risk mitigation strategies, organizations can safeguard their assets, preserve their value, and ensure successful M&A outcomes in today’s digital age. Trusted partners with expertise in cybersecurity and M&A transactions play a vital role in navigating the complexities of cybersecurity risks and ensuring smooth deal closures. 

Learn more in our Cascade Conversation here: