Look before you leap

M&A executives view cyber threats as specifically focused, pre-meditated attacks by a bad operator towards a buying or selling company, or both, with an explicit goal.

As soon as an M&A deal is made public, hackers start testing the security perimeters and wait till “chinks in the armor” are revealed.  During Day 1 and post-merger integration, cyber vulnerability heightens, as employees increase their activity over the network and infrastructure to ensure the operational success of the deal.  Bad actors use technologically sophisticated approaches and deepfake identity theft to access confidential personal and financial information, proprietary IP, new product schematics – all of which can be sold on the virtually untraceable dark web.

Fraudsters may encrypt servers through malware and lock them in for ransom or may co-opt the use of the buyer or seller’s network storage, bandwidth, and computing resources to carry out illegal activities.

While during integration the overall security perimeter of the combining entities shifts, creating potential gaps for unauthorized entry, the greatest compromises come from undocumented “backdoors” such as an unpatched system, a networked legacy device, or even a forgotten or unmonitored web portal. 

Supply chain management is another area prone to cyberattacks as it involves tens of thousands of system interfaces internally and externally.  Each system interface potentially offers intruders an opportunity to disrupt or illegally gain from the misuse of the buyer’s and/or the seller’s data, intellectual property, payments, and more.

Take stock

Buy-side diligence includes quick identification of issues that hamper a successful M&A deal.

Before the deal is agreed, the buyer formulates a basic mitigation strategy and estimates investment required to alleviate cyber security issues, if and when they arise. Deal success, therefore, requires understanding of: 

• Key security systems and platforms: Document and evaluate the expanse of IT systems and solutions employed by all entities, including third parties, involved in the seller’s cyber security perimeter.
• Digital security processes and policies: Understand the cyber security standards and risks of the acquisition target’s industry to determine the relative maturity of its cyber security posture. 

Benchmark the practices of the seller against their competitors to determine the target acquisition’s degree of above- or below average risk from both technical and non-technical factors.

People: Assess not only the management of the IT and cyber systems but also the importance, and availability of support for IT security by the organization’s leadership, employees, and third parties.

Process: Review policies and procedures in place for data integrity maintenance and information stewardship. This includes governance of regulatory and compliance standards to fulfill all auditing and reporting obligations.

Sell-side diligence requires identifying issues that could prevent a deal or negatively impact the sale price before a deal is negotiated.  Successful sellers either resolve issues beforehand or optimally build their cyber security remediation into a detailed transition plan and pricing.  

Prioritize for integration

Strategic priorities for the buyer’s and the seller’s c-suite are fivefold.

• Value capture: Find and detail the return on investment of cyber remediation as well as isolate the potential areas the seller could successfully integrate with an acquiring or merging firm.
• Defense vendor and service rationalization: Optimize third-party vendors or service providers that help defend the seller against cyber security threats. Minimize tech spending or increase coverage by changing or adopting more efficient paradigms like cloud hosting and managed services.
• Integration mapping: Identify and strategically map specific areas to protect, i.e., “the crown jewels”, and align and augment available security resources for the needed coverage and protection before and after the deal is struck.
• Target operating model and organization design: Draft and treat as a “living document” the new company’s operating model and organizational design that evolves as more data and information becomes available along the transaction lifecycle.  Identify the value streams for delivering mission critical, potential synergies, and other business benefits. Then estimate the people, technology, and other costs, including information security risks, associated with each aspect.
• Separation and Integration planning: Develop a detailed, long-term plan to separate and then integrate the combining enterprises to realize the new company once you have the integration map.  Leverage a centralized management to granularly document critical business processes, key applications used, infrastructure and hosting strategies, vendor contracts and service agreements, to ensure expected synergies are realized without cyber risk disruption.

Pre-empt to protect

Anticipating and pre-empting threats is half the battle won in a cyber risk mitigation strategy.

• Scan news sources: When the media provides coverage of a new M&A deal, hackers will act on that information. It is imperative to release an official media statement and keep track of your media sources to ensure unwanted information is not leaked out.
• Monitor the dark web:  Search the dark web to find out if there are illegal security credentials to a potential acquisition being sold. Alternatively, insider information or intellectual property from the target company might be for sale as well. We recommend that cyber experts be retained to use the dark web as a tool against would-be intruders.
• Prepare a good offense: Penetration testing and intruder monitoring exists as the standard “defensive posture” of most networks or security systems, to watch and secure the larger perimeter of an organization. However, during the M&A transaction cycle, implementing pro-active monitoring that aggressively watches over the perimeter and attempts to “track back” the source of the attempted intrusion is possible. During due diligence, a review of existing security tests and cyber reviews helps set the stage for the more detailed phases of the M&A life cycle.

Secure data and access

A good cyber security plan for any acquisition, merger, or divestiture is both strategic and highly tactical to address the unique and dynamic nature of the transaction.  

The M&A landscape is even more complex as cyber threats evolve due to the increasing sophistication of criminal tactics and tools available to enable them. The resultant damages are financial, operational, and reputational.

M&A transactions almost always include the purchase or sale of data, and the plan to realize the targeted synergies and investment returns is only as sound as the cyber security in place before, during, and after the deal. Including digital security as a deal-driven priority is the only way to ensure a smooth, stable, and value-added M&A business exchange.

Anticipating and pre-empting threats is half the battle won in a cyber risk mitigation strategy.

According to Gartner, by 2022, 60% of enterprises engaging in M&A will consider cyber security posture as a critical factor in their due diligence process.