In the post-COVID-19 economy, cyber risk and cybersecurity will play a central role in unlocking mergers and acquisitions (M&A) deal valuations.

While economic uncertainty has contributed to a decline in M&A activity in the first half of 2020, many analysts expect an increase in deals during 2020-21 based on several conditions.

The Mergers and Acquisitions Landscape

Some sectors have been hammered and need injections of capital and assurances of operational stability. Companies with stronger positions will be opportunistic and looking to accelerate their transformations with new capabilities and intellectual property. Acquisition efforts may be aided by marketplace liquidity. The U.S. private equity industry alone holds $1.5 trillion in cash. Non-financial corporations in the U.S. have more than $4 trillion. Moreover, interest rates in many areas are at or near historic lows.

We are in the midst of a profound, generational challenge, and our ability to adapt is largely a reflection of how we have approached our risk and security practices to date. As the appetite for M&A activity returns, cyber risk and cybersecurity experts should play a central role in determining true asset value and potential liability exposure. Many organizations fail to identify and capture risks in the early stages of the deal lifecycle, when these considerations can make a real difference.

Relevant examples in mergers and acquisitions news are easy to find. In 2016, TalkTalk, a U.K.-based telecom business, was fined £400,000 when a threat actor accessed a customer database it acquired earlier was hacked. In 2017, the price of Verizon’s acquisition of Yahoo’s internet business plunged $350 million after Yahoo disclosed three massive data breaches compromising more than one billion customer accounts. And, companies exploring M&A today would be wise to consider a recent example from April 2020. A pending merger had 5% of its total purchase price set aside to cover the potential fallout from a ransomware attack.

For many companies, the new normal will be about enhancing their market position by acquiring new assets or divesting existing ones. New data insights from IBM’s Institute for Business Value (IBV) suggest risk and security concerns, as well as opportunities generated by enhanced cyber resilience, are some of the most important financial considerations in any M&A deal.

Opening Business to Risks During Mergers and Acquisitions

More than one in three executives say they have experienced data breaches that can be attributed to M&A activity during integration.

Highly sophisticated threat actors target M&A activities because they offer the potential for short-term and long-term rewards. When publicly held companies are involved, the resulting media coverage can increase the chance that threat actors will seize the opportunity to attack. With operations in transition, high-value data is especially vulnerable.

Doing Due Diligence

More than half of companies wait until due diligence is completed to perform cybersecurity assessments.

Figure 1

While it’s critically important that potential liabilities are identified and accounted for in M&A deal valuation — and reflected in purchase, sale, and transition service agreements (TSAs) — most companies wait until late in the deal lifecycle to research and identify potential cybersecurity and data privacy risks and liabilities (see Figure 1).

Get Cybersecurity Leaders Involved

There are clear benefits for involving cyber risk and cybersecurity leaders earlier in the M&A lifecycle.

Of all the respondents, 32% reported having sophisticated M&A capabilities and achieving better outcomes from their M&A activity. Of these, almost 60% engage CISOs and information security teams earlier in the M&A lifecycle, during acquisition planning and screening of potential targets.

Security experts should be embedded in the corporate M&A process and play a key role in all its phases. Failure to understand how a merger or divestiture impacts operational risk exposure detracts from future value realization.

Calculating Risk During Mergers and Acquisitions

Cyber risk and cybersecurity assessments should be factored into target valuations.

Figure 2

Premiums are often paid to acquire a business, so it’s critically important that potential liabilities are identified to keep the premium in line with overall value. On average, companies devote up to 7% of their total annual revenue toward executing M&A activities, more than 80% of which is spent on the acquisition and post-close integration phases (see Figure 2).

Factoring In Security Considerations

Companies with mature M&A practices integrate risk and security considerations into their strategy, planning and valuation activities. Most notably, they analyze and quantify cyber risk factors and cybersecurity vulnerabilities. These organizations develop currency-adjusted cyber risk models that describe the impacts of potential financial and reputational risks. Armed with knowledge, these organizations are in a powerful negotiating position because they have the freedom to step away from the table. If a cybersecurity issue or potential liability found during screening (pre-acquisition) is significant enough to disqualify a target, this translates to a substantial operational cost avoidance.

In our experience, there are a number of reasons why companies delay or disregard engaging security experts during M&A. In some cases, it’s attributable to inexperience with the complex M&A lifecycle. In others, there may be a desire to limit the number of people with knowledge of an impending merger. Restricting “line of sight” to a potential merger is understandable during the pre-acquisition phase. However, excluding risk and security domain experts during deal valuation, negotiations and due diligence is problematic. Security and compliance issues can present large potential liabilities that impact the basis for a deal.

To learn more about how to quantify security risks within your M&A deals, register for our webinar.

For more insights, including recommendations for each phase of the M&A deal lifecycle, check out IBM’s new benchmark insights report Assessing cyber risk in M&A — Unearth hidden costs before you pay them.

Register for the webinar

More from Banking & Finance

How the ZeuS Trojan Info Stealer Changed Cybersecurity

4 min read - Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data. Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The…

4 min read

2022 Industry Threat Recap: Finance and Insurance

5 min read - The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

5 min read

How to Spot a Nefarious Cryptocurrency Platform

4 min read - Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

4 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read