Mergers and Acquisitions (M&A) activities occur across industries of all sizes. Organizations move in this direction to remain competitive, achieve economies of scale, increase market share and remain a trusted brand to customers. Despite these benefits, there is growing concern surrounding the lack of cybersecurity due diligence as part of an M&A deal.
Cybersecurity threats including ransomware, malware, phishing, identity theft/loss, insider threat, denial of service and cyber-espionage could have far reaching impact on the financial attractiveness of a firm. In a recent survey of North America-based Senior M&A practitioners, 80% of respondents said that cybersecurity issues are now critical to the M&A due diligence process, with more than a third of acquirers saying they had discovered a cyber issue only after a deal went through. Clearly, cybersecurity should be a consideration during any M&A transaction where IT assets are a part of an acquisition.
Here are a few cybersecurity practices that organizations can leverage early on in the M&A process:
- Risk Management – Valuable intelligence and historical information can be gleaned from previous risk assessments at the broad business or enterprise level, as well as more detailed technical security level. A robust Risk Management program, with meeting minutes and regular stakeholder involvement is a good sign of a healthy risk management environment.
- Risk Assessment – Performing a risk assessment is a good way to understand existing systems and architecture, identify critical IT assets and business processes, and determine risk priorities. Additional questions should be answered early in the process, such as: sensitivity of data and location within infrastructure, impact of data loss or breach, data protection strategies and safeguards, prior incidents, breaches or significant deficiencies and business continuity recovery plans.
- Internal and External Audit – Given the importance and long term impact of an M&A effort, subject matter experts should be embedded both on the business and technical side to holistically assess the full body of applicable controls. Any previous or outstanding deficiencies should be understood and remediation plans and progress reviewed for potential risks.
- Third-Party Risk – An incoming organization should seek to understand the volume, complexity and contractual obligations and agreements made between the desired organization and their third party vendors. This includes embedded systems, cloud based applications and systems, managed services, among other vendor relationships. A robust Vendor Management Program is a good sign of well managed third party risk.
- Awareness and Training – Information security should be evident through a well-developed awareness and training program. This program should include communication and confirmation of understanding of company policies, information security risks and best practices, and communication mechanisms to report violations, concerns or issues.
Mergers and acquisitions can provide a wealth of benefits if done with the right balance of holistic due diligence. It is critical to understand the complete picture of risk and potential liabilities across the organization, especially surrounding the IT environment.