Mergers and acquisitions (M&A) are complex and challenging business transactions that can create significant value for the involved parties. However, they also pose significant cybersecurity risks that can undermine the success of the deal and expose the new entity to legal, regulatory, reputational, and operational damages. Many M&A deals move very fast as involved parties get very excited about the success of the deal. In their haste to close, there is pressure to skip past some pre/mid/post-deal diligence that would help avoid surprises and help challenge the value of the deal (on both the buyer and seller side).
To achieve that value, it is essential for both buyers and sellers to adopt a proactive and comprehensive approach to managing cybersecurity risks throughout the M&A lifecycle. These risks can arise from various sources, such as:
- Outdated or immature cybersecurity policies, processes, and programs
- Obsolete systems, hardware, and software (including inherited tech debt, unpatched vulnerabilities, and sensitive data exposures)
- No or incomplete records of recent penetration testing or technical testing
- Lack of recent data backups, processes, or testing/verification of effectiveness
- No (or insufficient) data or disaster recovery plan and business continuity plans
- Little to no encryption or other protective measures applied to sensitive data
- No remote device management security (creating sensitive data/info sprawl and other operational risks)
- Existing dormant attackers within the target’s network
- Unreported or undiscovered data breaches (prior to the acquisition or merger)
- Insider threats (members of the workforce that have or can create damage to the organization through theft or disruption during the acquisition or merger integration)
- Regulatory non-compliance
- Exposure of intellectual property that could challenge the acquiring party’s right to ownership or exclusivity in the future
To mitigate these risks, both buyers and sellers need to define and follow a cybersecurity playbook that covers four stages of the M&A process: screening, due diligence, integration, and post-integration.
The Seller playbook should be a comprehensive overview of the cybersecurity program and various key controls. Companies that are preparing for a sale should spend time and effort being proactive in building a cyber program and processes that will demonstrate the protection of company data and operations. When done right, cybersecurity and data protection can be a value add or even a differentiator to a buyer. This is especially true for entities that might have the risk of IP loss, brand damage, or operational impairment stemming from a cyber incident.
The Buyer playbook should involve the internal information security team and/or qualified experts to help focus the cyber evaluation efforts within the time confines of the deal process. The experts you want to help are those with experience, business acumen, and the ability to prioritize and focus the evaluation tactics that won’t unnecessarily slow down the overall deal. I say this, knowing that some cybersecurity purists may argue that the deal should wait on appropriate diligence regardless of how long it takes. However, this is often not a reality, and these are typically the leaders that are left behind or not at the table. I once had a Fortune 500 VP of Business Development/M&A tell me: “BD folks usually don’t bring cybersecurity in early in the deal because we don’t want to be slowed down or the deal disrupted.” This honest insight means cyber experts need to show up with speed and value to gain or remain at the table.
Here are some insights on the stages of the M&A process and how cyber risk can be evaluated, managed, and considered in the deal value/business case.
Screening: In this stage, the buyer should identify the target’s information security team composition and qualifications and involve its own information security leaders in the initial assessment of the target’s cybersecurity posture. For small entities, this might not be full-time employees and may not be a full cyber program. This is where expertise can be helpful to triangulate the context of the business or assets being purchased and what elements are relevant to create risk in the future state combined organization.
The buyer should also evaluate the target’s industry, geography, customer base, and business model to determine the level of cybersecurity risk exposure and regulatory requirements. For example, is the acquisition of a healthcare entity requiring HIPAA compliance or a financial services entity requiring PCI or other regulatory compliance elements?
Due diligence: In this stage, the buyer should conduct a thorough and independent assessment of the target’s cybersecurity capabilities, policies, processes, systems, assets, data, incidents, prior breaches/incidents, compliance status, and remediation plans. The buyer should also identify any gaps or weaknesses in the target’s cybersecurity hygiene and performance and estimate the costs and efforts needed to address them. This is where the value to the overall business case and deal value can be a strategic lever. For example, if it is a $10 mil acquisition but will require $2 mil of investment to integrate or raise the cyber program posture to the broader company standard, that is a material factor in the deal. You may be able to leverage this heavily in the negotiation. And buyers beware, this is why earlier I mentioned prospective sellers should be investing in their cyber program proactively.
Integration: In this stage, the buyer should develop and execute a cybersecurity integration plan that aligns with the overall business integration strategy and timeline. The plan should include but not be limited to:
- Establishing a unified governance structure and reporting mechanism for cybersecurity. The plan may vary over time if the entity being acquired may operate semi-independently over time vs being fully integrated early in the process.
- Harmonizing cybersecurity policies, standards, procedures, and controls across the new entity
- Updating systems, hardware, software, and data to meet the new entity’s security requirements
- Patching vulnerabilities and resolving any outstanding cybersecurity issues
- Conducting penetration testing and vulnerability scanning to validate the security posture of the new entity
- Implementing data protection measures such as encryption, backup, recovery, and retention
- Enhancing remote device management security for mobile and remote workers
- Educating and training employees on cybersecurity awareness and best practices and shifting the culture from the prior ownership to the future state combined entity
Post-integration: In this stage, the buyer should monitor and measure the effectiveness of the cybersecurity integration plan and make any necessary adjustments or improvements. The buyer should also establish a continuous improvement process for cybersecurity that leverages data analytics, threat intelligence, incident response, audit feedback, and industry benchmarks. The buyer should also review and update its cybersecurity strategy and roadmap to align with the new entity’s business objectives and risk appetite.
Cybersecurity risk management in M&A is not a one-time activity but an ongoing process that requires collaboration, communication, coordination, and commitment from both buyers and sellers. By following a cybersecurity playbook that covers all stages of the M&A lifecycle, both parties can reduce their exposure to cyber threats, enhance their resilience to cyber incidents, comply with regulatory obligations, protect their reputation and customer trust, and ultimately achieve their desired business outcomes.
By having defined processes and playbooks (on both the seller and buyer side), the opportunities to have the right conversations, analyses, decisions, and engagements will be clearer and more transparent. Additionally, the process can go more smoothly and swiftly as you won’t have individuals making up a plan on the fly or being (or being perceived) as slow or time/cost prohibitive.
If you are a seller: “Fake it till you make it” is not a good strategy for achieving the deal value you desire. I wouldn’t personally bet my retirement on it. Making smart moves early before you need or want to sell will minimize overall costs and increase the value of your potential deal.
If you are a buyer: Don’t let the excitement of the potential deal and need for speed become the pretty icing on an unbaked cake. Think strategically about how evaluating and managing cyber risk throughout the deal process can maximize a deal’s value, total cost, and overall success.
At Reveal Risk, we have had experts on both sides of the deal (buyer and seller). Our experts have had experience inside corporations going through the process and have seen how it can work when things are and aren’t done right. We’ve taken all these experiences and formulated them into how we strategically help companies build their playbooks and supporting processes. We would rather be engaged proactively than helping to clean up the aftermath of deals that have been processed without the right diligence.
If you would like to learn more about how a process/playbook could look for your organization, reach out to us at firstname.lastname@example.org to have a conversation about how we can help you achieve better deal value and minimize surprises and risk.