Cybersecurity Lapses Can Derail the M&A Train

Ask most executives and board directors about the top risks associated with mergers and acquisitions (M&A), and they’ll likely list concerns such as overpaying for an acquired company, assimilating disparate cultures, an inability to achieve projected synergies, the integration process, and so on. What executives and directors are less likely to mention is one of today’s greatest threats to M&A success: cybersecurity.

An increasing number of deals are being abandoned or revalued due to cybersecurity issues, and most of those involve organizations that are performing appropriate due diligence and discovering breaches and other cybersecurity issues before closing the deal. In cases where such due diligence is not being performed, or being performed in a perfunctory manner, we also see headlines about after-the-fact cybersecurity issues triggering compliance violations and enormous unplanned remediation costs. These situations quickly turn good deals into bad, and could lead to liability issues for directors and officers.

It is not surprising to see post-deal cybersecurity problems. According to the most recent FireEye M-Trends report, it takes an average of 101 days for companies in any stage of their life cycle to discover a data breach. If a breach remains undiscovered throughout the M&A process, the buying company could be unknowingly acquiring a damaged asset. Or, if an adversary has penetrated either the buyer or the target company’s network, the “uncompromised” party in the deal stands to be attacked through the other company once their networks are joined.

In cases where there is not an active adversary on either network during the deal, if one party is not effectively managing its own cybersecurity risk, it will open the other party to those risks, or to compliance gaps, once the deal is closed and integration activities begin. Finally, if the intellectual property of the acquired company has been compromised, the company valuation and sustainability could be negatively impacted.

To mitigate security risk during M&A, boards should work with their management teams to ensure that cybersecurity experts are brought into the due diligence process early, and preferably before deal value is set. This is the only way the acquiring company can get a clear picture of the real and potential risks to deal value that the acquisition target may introduce through its security gaps and any active intrusion. Not every security consultant has experience conducting M&A due diligence, so selecting the right partner is critically important.

Here are some key cybersecurity steps the board of every acquiring company should ask the management team to take before and during the M&A process:

• Ensure that a list of the target company’s digital assets, including infrastructure, software, hardware, and mobile apps, exists in a centralized database. This should include a risk score for each asset, based on information such as previous compromises.
• Gain a complete view of the target company’s third-party ecosystem. The board should insist that the M&A team evaluate the security protocols and assurances of each of the target’s partnerships to assess any risk they might introduce.
• Make sure procedures are in place for governing software development controls for the technology that is being acquired as part of the deal. In addition, the acquiring company needs to examine how it will introduce any new technologies into its own organization and maintain compliance.
• Execute a risk and vulnerability scan of the acquired company’s business and its assets, to characterize the business risk and the costs to re-mediate.
• Ascertain there is appropriate investment in employee education and awareness. At a minimum, a cybersecurity training session should be held with staff from the new organization to outline security expectations and guidelines. Implore management to report on the program’s success and to follow up on its efficacy.
• Decide in advance if the target company will be fully integrated into or operate separately from the acquiring company, and direct management to develop the security strategy accordingly. For example, many security teams prefer to isolate the new group under a “zero trust model” for several months as a temporary safeguard.

Businesses have been slow to embrace cybersecurity as a top-tier risk not only for M&A, but for business operations in general. Recent headlines underscore that failure to make cybersecurity a focal point of due diligence can turn even the best-looking deal ugly overnight. The board can do its part to ensure the deal’s success.

A version of this article originally appeared in the July/August 2019 issue of NACD Directorship magazine.