How to Address Security Threats in M&A

Arvin Bansal
April 14, 2023

Mergers & Acquisitions between two existing corporate giants create a unique synergy to surpass its combined performance and values with the newly-formed joint venture. However, it’s also quite a high-risk proposition, involving multiple security threats to consider beforehand. 

Cyber diligence, perhaps the most trending topic in M&A currently, must be taken seriously by companies, as third-party attacks have turned more sophisticated and newfangled over time. Here’s what a recent Deloitte cybersecurity study found:

  • In 2017, a US-based telecom MNC lost $350 million while acquiring a web services provider due to a massive data breaching attack.
  • 53 percent of respondents in a Forescout survey revealed their companies have faced cybersecurity threats amidst M&A deals, imperiling the deal negotiation

How does poor cybersecurity affect an M&A deal?

Here’s the truth - if not paid attention to, poor security can badly affect both the to-be-acquired and the acquiring party. 

For starters, these cybersecurity attacks and incidents of data breaching (once revealed) severely affect the divesting company’s financial valuation. If the dissatisfied shareholders decide to raise fraud charges, the concerned firm may also be liable to pay a huge penalty amount.

On the other hand, below-average cybersecurity can introduce much more severe threats than Business Email Compromise and data breach issues for acquiring companies. In fact, a 2021 FireEye study has revealed that sophisticated hackers can penetrate any network and be incognito for 206 days, on average. These many days are sufficient for malicious third parties to easily steal sensitive information, including proprietary data, business strategy, employee records, etc.

How to ensure top-tier cybersecurity due diligence?

Ensuring proper cybersecurity and internal control systems can save an acquiring company millions in remediation costs. Whether it’s identifying any gap in existing security controls or implementing a new, proper risk management model, precaution is key in every stage of acquisition. Here’s a list of the necessary measures every acquiring firm must adapt during an M&A deal:

Pre-Acquisition Stage

  • Recognizing the type/pattern of cybersecurity threats that the target firm encounters usually, depending on its industry, products/services, partners, etc.
  • Reviewing the firm’s existing system architecture (software/hardware, IT asset inventory, cloud, data flows, etc.) for any underlying vulnerabilities
  • Analyzing their security program to ensure they’re meeting the to-be-acquired firm’s industrial best practices

Acquisition Stage

  • Investigating the corporate policies (terms of service, data classification, IT security, etc.) to find and resolve any gaps
  • Initiating new network policies and network division guidelines to strengthen the acquisition synergy
  • Reviewing the to-be-acquired firm’s existing state of IoT security and risk strategy to make necessary improvements

Post-Acquisition Stage

  • After the M&A has been successfully completed, upgrade the existing security procedures and initiate complex Identity and Access Management controls.
  • Always invest in efficient risk management software that can automatically run numerous programs under a central GRC system

M&As, although quite lucrative, are still ultra-hazardous deals that require decision-makers to identify and nullify any potential threat. Unfortunately, a one-size-fits-all cyber due diligence approach is yet to be figured out. However, these above-mentioned diligence exercises can help the acquiring company find any security gaps and strengthen their data protection measures for a safer transition. 

Chief Information Security Officer