The ability of companies to merge with or acquire other companies is essential to healthy and energetic economies. That’s why most of us find the idea of mergers and acquisitions so fascinating. M&As are usually good indicators of positive change, progress and transformation. They generally tend to signal the beginning of something new and exciting.
Yet M&As do not take place in a vacuum. They are very much influenced by prevailing economic and social conditions. Not surprisingly, M&A processes have adjusted, evolved and adapted to fit the 21st century business environment. Almost every aspect of the M&A process has changed – either subtly or dramatically – to keep pace with the times.
Cyber Risk is Everywhere
The shift to digital business – a global trend that had been gathering momentum for decades – has been accelerated and amplified by the pandemic. Today, it’s hard to find a business that doesn’t have a digital footprint.
When we look at a modern business from an M&A perspective, we’re not just looking at its physical and financial assets – we’re also looking at how it gathers, stores, analyzes, manages and protects its digital assets.
The expansion of data privacy laws, coupled with the dramatic rise in cybercrime, has made all of us more aware of cybersecurity risks. As a result, cybersecurity is no longer an afterthought in the M&A process. If your company is planning to buy or merge with another company, or if your company is looking to be acquired by another company, rest assured that cybersecurity will play a significant role in the due diligence phase.
Whether you are a buyer or a seller, you should be prepared to get down into the weeds and dig around until you have a clear understanding of the cyber risks that may be lurking beneath the surface. Even if you’ve negotiated a great deal and everyone is happy with the terms, your merger or acquisition still needs to move successfully through the due diligence stage of the overall M&A process.
In a typical M&A scenario, there are four broad categories of cyber risk for the acquiring firm to consider:
- Customer obligations and expectations – is the target firm meeting agreed-upon obligations to its customers, such as being compliant with HFS, CCPA, GDPR or PCI-DSS, for example?
- Regulatory and industry expectations – is the target firm in compliance with rules and regulations applied to its industry, such as SOC2, NIST CSF or NERC CIP?
- Governance and oversight – does the target firm have a governance process in place to ensure that it is meeting its cybersecurity obligations and following necessary regulations?
- Inherent business risks - does the target firm operate in a vertical market that is inherently outside your organization’s risk tolerance (examples could be vertical markets that are innately targets of nation state actors or subject to geopolitical risk).
Deficiencies in any of these four areas are red flags that need to be addressed before the deal moves forward. Since most M&A attorneys are not cybersecurity experts, it makes sense to engage an experienced cybersecurity firm to support due diligence efforts (such as investigations, audits and reviews) and, if necessary, to provide suggested steps to remediate or mitigate issues that are discovered.
Again, it’s important to bring cybersecurity into the M&A process from the beginning, for the simple reasons that a) even the best organizations can have cybersecurity issues, and b) remediation costs money and should be calculated into the deal costs. Most of these issues can be remedied or addressed satisfactorily, but you definitely don’t want to find out about them at the last minute or, worse yet, after the deal closes.
If you’ve read the previous chapters of this book, you’ll know that third-party risk plays a huge role in the cybersecurity universe. Third-party risk also factors significantly into the M&A process, since you will need to establish not only that the company you plan to acquire is managing its technology vendors properly, but that these vendors are following the appropriate rules and regulations, and meeting their contractual obligations. Recent statistics indicate that on average more than 70% of software platforms today consist of opensource and 3rd party libraries.
The target company’s IT or cybersecurity team should be prepared to demonstrate that it is managing its vendors and that it is aware of how well (or how poorly) the vendors are managing their cyber risks and executing their contracts.
Now is probably a good time to mention that a company’s cybersecurity posture is likely to be affected by a merger or acquisition. The effect can be positive or negative, severe or minimal. But there will be an impact, and you’ll need to be ready for it.
When companies merge or are acquired by another company, they absorb each other’s strengths and weaknesses, and with that, their cyber risks. The attack surface expands, and not every contingency can be foreseen. In other words, there will be unintended consequences. If you’ve done your cybersecurity due diligence properly, however, these consequences should be manageable. Today, the notion of inheriting a target’s cyber risks is more commonly understood than it was in the past. For example, it is now becoming common for a company to see significant cyber insurance implications from a merger if its target does not have commensurate controls.
The last thing you want, of course, is any kind of surprise. A classic example of an unwanted surprise occurred after the acquisition of Starwood Hotels by Marriott in 2016. Roughly two years later, a data breach that had taken place a couple of years earlier was uncovered.
The breach, which had compromised the data of more than 300 million customers, was in Starwood’s guest reservation system, but Marriott was subsequently fined about $23.8 million for violating GDPR security standards. Marriott also suffered reputational damage to its brand.   
The Marriott/Starwood breach is a cautionary lesson that should not be forgotten, particularly when you’re performing cybersecurity due diligence in an M&A process.
It’s imperative to find out if there have been material breaches. If security breaches have occurred, it’s essential to follow up and obtain proof that the breaches were properly addressed and remediated. Additionally, you cannot simply assume that the target firm’s security team will be aware of every breach that has occurred. Even the best security teams can slip up.
For practical purposes, this means that you must go beyond the questionnaires and find out if there are indications of a breach that went unnoticed. A careful search of the dark web should reveal if any of the target company’s data has been stolen and has been offered up for sale. You might also consider a series of supporting activities to establish confidence, including:
- hiring an external party with expertise in dark web investigations
- looking for existing footholds in the environment through a compromise assessment of the target
- performing code assessments of key production platforms to establish trust in compromised development environments
In any event, you need to find out as much as you possibly can about the current state of the target company’s cybersecurity posture.
If the target company has experienced a breach and has not met its obligations (e.g., response, reporting, remediation, notifications, etc.), then you are basically inheriting the company’s liability when you acquire or merge with it – which is essentially what happened when Marriott purchased Starwood and inherited Starwood’s security issues.
Given the complexity of modern IT systems, every M&A deal comes with a level of inherent risk. After you’ve identified and remediated the inherent risk, you are left with residual risk. If the residual risk is deemed manageable, the deal can proceed.
Additionally, keep in mind that cybercriminals may be tempted to attack companies before, during or soon after they go through an M&A process. There are a variety of reasons for such tactics, but the most obvious one is that during an M&A, the parties involved are focused on the deal. As a result, they may become distracted and miss the signs of a cyberattack. The lesson here is to keep your guard up during an M&A. The bad guys are watching, and you don’t want to make their lives easier by relaxing your vigilance.
Lastly, you should be aware that a comprehensive due diligence process cannot be done in a couple of days. A legal review of existing contractual obligations will usually take two or three weeks. A thorough scan of the open and dark web to discover stolen or exfiltrated data will likely take another 10 days. If the initial due diligence raises any red flags, or if the organization has had material breaches, you may need additional time to supplement your due diligence with additional activities to further assess the residual risk and cost implications.
It’s also a good idea to schedule calls with senior management to speak specifically about cybersecurity. The goal of those conversations to gather details that may have been overlooked and assess the maturity of the company’s cybersecurity program. Speaking directly with senior management will give you deeper insight and yield better understanding of potential risks.
The Value Proposition
At its heart, the M&A due diligence process is about risk mitigation. You’re about to buy or merge with another company, and you want to make sure that you’re not going to inherit more risk than you are willing to accept. That’s why you need to find out if the company is honoring its obligations to customers, following regulations and monitoring compliance. You want to know in advance if there are breaches that may warrant fines or have not been properly reported. Are there specific risks that exceed your risk appetite? Don’t forget to include potential reputational risks in your overall assessment.
In today’s vibrant and continually shifting economy, M&As are common features of the business landscape. My advice is to prepare for the eventuality of being involved in an M&A, and take the steps now to ensure that your cybersecurity team is ready to provide any evidence or documentation that will be requested. In other words, it’s a good practice to prepare for an M&A, even if it’s not on the immediate horizon.