In the past, organizations involved in mergers and acquisitions focused their efforts on financial, legal, and operational due diligence. However, the rise of cyber espionage over the past decade, especially in recent years, has brought cyber due diligence to the fore. Threat actors, drawn to the presumably deep pockets of acquiring companies, often strike as soon as news of the deal begins to go public. They assume that from this moment onward, eager decision-makers, essentially past the point of no return, will be susceptible to the largest impact of a cyber attack.
Any target drawing global interest is at greater risk. Threat actors often perceive greater vulnerabilities in situations where organizations operate in multiple geographies.
Interestingly, the behaviours of some sellers add to the allure. Oftentimes, leading up to the announcement of the deal, the temptation to cut costs wins out and the focus on continuing to invest in IT and cyber programs ease, thus leaving their organizations more exposed. Unfortunately, organizations don’t consider their changing threat profile and neglect to adjust their defenses as their threat profile evolves as a result of the transaction.
The recent explosion of M&A deals involving historic sums of money could mean a heyday for threat actors. However, by prioritizing IT and cyber security throughout the lifecycle of the transaction, both sides of the deal can thwart these malicious efforts and preserve value on their transaction.
What Types of Organizations are Most Attractive to Adversaries?
At BDO we often get asked about the types of industries most at risk for cyber sabotage. The answer is surprising to some. Certainly, fintech, health-tech, communications companies, and other technology-centric organizations are targets due to the inherent value in their technologies, but so too is any organization with intellectual property. Imagine, for example, a company’s value primarily rests on its unique design or “secret sauce”. If that well-known but poorly-guarded secret is compromised, the value of the deal can plummet. Adversaries know this and are on the lookout for targets with this vulnerability.
Common Weak Links
False sense of security: Sometimes buyers assume that because the acquirer and the target are flush with talented IT professionals, a super-secure robust system on both sides exists. Unfortunately, such thinking does not consider the extra exposure (and threat) that comes with being involved in a high-profile M&A, or the change in threat profile resulting from an M&A.
Change Management: Often, IT and security teams are followers in the transaction and as such, are not meaningfully engaged until the transaction is complete or close to complete. This introduces further risk. Employee attrition, failure to understand the impact of connecting disparate IT systems, process changes, and lack of clarity across roles and responsibilities impedes the ability of the organization to swiftly respond to attacks, further compounding the problem and resulting in a larger impact.
Rushed Transactions: Rushed transactions or those under short timelines are often seen to be promising targets of cyber-attacks, especially in situations where both organizations neglect to assess the changes in threat profile and associated risks under time constraints.
Assess and Protect Cyber Security Capabilities
An effective cyber-security M&A diligence program includes a robust understanding of existing capabilities and a robust transition plan for integration. How is the cyber security program of the target structured? Are incident response plans documented and tested? Do both organizations know where their critical assets reside and how they are protected? When was the last time their cyber defenses were tested? What are their capabilities related to threat detection and response?
These are among the many questions an experienced cyber-security team seeks to find answers to on the first day they are engaged. When should this engagement occur? For sellers who wish to take their company to market, an assessment of your network in the early stages, or certainly once you have a preliminary indication of interest, gives you time to correct potential issues. It can also help preserve or increase your sales price, provided that the assessment yields a clean bill of cyber-security health. For buyers, cyber security due diligence is essential in the early stages of the M&A process to ensure that, post-transaction and prior to onboarding the newly-acquired network, there is nothing nefarious that could adversely affect your existing ecosystem. Further, early engagement of cybersecurity experts ensures valuations will hold and stay protected throughout the lifecycle of the transaction and beyond.
Involving IT and cybersecurity teams results in a deep understanding of infrastructure, cyber defenses, business continuity practices, and the currency of information systems. A robust process includes performing a threat profile, working with you to assess and understand existing risks, and then building a risk management plan to make that risk acceptable. It is also important to continuously monitor for cyber threats.
Although the primary benefit of engaging cyber experts is to safeguard the organization against potential cybercrime, other advantages include avoiding business disruption, reputational damage, and the prohibitive costs related to experiencing a cyber breach resulting in loss of data or crown assets.
Cyber security is often viewed as a technology issue. In fact, cyber security is a business issue that requires an understanding of your overarching business strategy in order to be able to manage cyber risk. BDO can help your cyber program align with your business strategy and protect what matters most to your business. At BDO, we ensure clear alignment across people, processes, and technology to enable your business to continue to thrive.
For more information on BDO’s proactive and preventative approach that protects your enterprise, and preserves and enhances value, please call us today.
Key M&A Questions for Business Leaders
Is your enterprise protected? Consider the following questions to help assess where you stand:
- Do you have a good understanding of your biggest cyber security risks?
- Does your team have an established cyber security strategy?
- Has your team planned for a cyber attack and tested their incident response plans?
- Does your organization have adequate technology controls for financial reporting in place?
- How much could a cybersecurity breach cost your organization?
- How do you identify, assess, manage and report on technology and cyber risk?
- Have you developed and tested incident response plans?
- How are you managing risk as the business environment continues to evolve?
The content of this website, including the articles, is provided for summary informational purposes only, and should not be regarded or relied upon as advice, either generally or with respect to any particular or specific situation.