The pivotal role of cybersecurity in mergers and acquisitions

5 minute read

Executing the details and terms of mergers and acquisitions (M&A) transactions can be complex without any cybersecurity considerations. Planning for a secure transition while managing the expanded points of vulnerability (known as the threat surface) during and after the transaction adds to the challenge. Merging technology platforms and associated processes can result in disruptions that provide opportunities for malicious actors inside and outside the organizations to exploit temporary defensive gaps.

Increasingly, cybersecurity assessment and management are an essential part of due diligence and integral to the pre- and post-closing phases of a deal.

Both buyers and sellers have a clear interest in cybersecurity-focused oversight. Sellers with a history of breaches or inadequate security controls can experience a devaluation of deal terms or even lose out on the deal altogether. Acquirers may absorb the security vulnerabilities while creating new challenges for their IT and cybersecurity teams. Several high-profile deals have been scuttled, devalued or resulted in fines due to cybersecurity breaches.

Mitigating M&A cybersecurity risk for acquirers starts with thorough assessments of the seller prior to finalizing a term sheet and should extend to the day of the deal closing and well afterward. Here are the potential risks and mitigating actions for acquirers and sellers at different stages of the M&A process, from screening and due diligence to pre- and post-closing phases of a deal.

Acquirers should:

• Assess the seller’s threat surface, vulnerabilities and response capabilities. Whether or not the seller has ever experienced a cyber incident, the acquirer’s financial, IT and security leadership will need a full assessment of its digital infrastructure (e.g., networks, cloud infrastructure, devices, data storage, payment processes), its network access protocols, its security tools and its cybersecurity response plans. The assessment might include threat hunting or penetration testing that digs deeper into the seller’s systems compared with standard security scans.
• Map the seller’s vendor landscape. The acquirer should take an inventory of existing relationships with third and fourth-party vendors, partner organizations and their supply chains to evaluate their cybersecurity practices, reputations and any history of breaches.
• Evaluate the seller’s cybersecurity regulatory compliance. Adherence to national and international regulations and standards that govern industry practices, particularly those regarding data use and storage, should be part of this assessment.

Sellers should:

• Be transparent about cybersecurity posture. The selling company should undertake a thorough assessment of its security controls, compliance record and security-screening process before any potential buyer begins their due diligence.

Acquirers should:

• Determine which digital assets are mission-critical. Every company has different “crown jewels,” or the element that is either the critical foundation of the business or is integral to its success — the loss of which would pose an existential risk. They will vary from company to company, and for some, such assets might not be digital. Identifying these assets helps the acquirer prioritize their security measures.
• Maintain cybersecurity awareness. The potential for a cybersecurity breach can be highest in the days immediately after a transaction. Security and company leaders may need to set limits around payment approvals and/or communications to ensure bad actors are not exploiting disruptions. During this phase, it is important to deploy more aggressive threat hunting and monitor essential imported systems.
• Build a cyber-secure plan for the operating entity. The deal should follow a detailed cybersecurity plan that addresses how roles and responsibilities will shift, how networks will connect and which of the seller’s accounts (e.g., customer accounts and vendor accounts, lines of credit, employee retirement plans) will be exported to the new entity. This applies whether the deal creates a new company, or the acquired party becomes a subsidiary of the acquirer. The plan should designate decision-makers and establish processes for reporting problems that may have security implications.
• Control system access. Specialists and experts who may require access to digital infrastructure during the pre-close period should be carefully vetted and monitored. The security team should be provided with a list of approved users and maintain strict controls over identity and access management in the early days of the new entity’s operation.

Sellers should:

• Limit the type and number of allowed payments or receivables to only those that are most secure, with only critical systems migrating in early phases so the process can be carefully monitored.

• Sustain monitoring of imported systems and new hybrid networks. As new workflows and processes become entrenched, new vulnerabilities and weaknesses in the attack surface may develop. Continue to scan the threat surface and network traffic and consider the value of proactive threat hunting within its digital environment.
• Continually assess cybersecurity risk. It can take time to realize the effects of importing teams, networks, security tools and processes. The leadership team should continue to evaluate acceptable levels of risk and perform regular scans to keep the new company in a secure state. They should also stay aware of potential insider threats, which can come in the form of employees who don’t observe new security protocols or who may download intellectual property or sensitive data.
• Refine the M&A security strategy. If a company is in growth mode and expects more M&A activity, it should continue to reflect on lessons learned, incorporate stronger security policies and controls, and streamline system integration.

Given what’s at stake, cybersecurity is increasingly considered a critical component of the M&A process and a key component of the transaction’s overall success. By assessing and managing cybersecurity risks from due diligence to the post-close integration of the transaction, buyers and sellers can identify vulnerabilities, mitigate bad actors and avoid pitfalls that can undermine the deal’s economics.