In the post-COVID-19 economy, cyber risk and cybersecurity will play a central role in unlocking mergers and acquisitions (M&A) deal valuations.

While economic uncertainty has contributed to a decline in M&A activity in the first half of 2020, many analysts expect an increase in deals during 2020-21 based on several conditions.

The Mergers and Acquisitions Landscape

Some sectors have been hammered and need injections of capital and assurances of operational stability. Companies with stronger positions will be opportunistic and looking to accelerate their transformations with new capabilities and intellectual property. Acquisition efforts may be aided by marketplace liquidity. The U.S. private equity industry alone holds $1.5 trillion in cash. Non-financial corporations in the U.S. have more than $4 trillion. Moreover, interest rates in many areas are at or near historic lows.

We are in the midst of a profound, generational challenge, and our ability to adapt is largely a reflection of how we have approached our risk and security practices to date. As the appetite for M&A activity returns, cyber risk and cybersecurity experts should play a central role in determining true asset value and potential liability exposure. Many organizations fail to identify and capture risks in the early stages of the deal lifecycle, when these considerations can make a real difference.

Relevant examples in mergers and acquisitions news are easy to find. In 2016, TalkTalk, a U.K.-based telecom business, was fined £400,000 when a threat actor accessed a customer database it acquired earlier was hacked. In 2017, the price of Verizon’s acquisition of Yahoo’s internet business plunged $350 million after Yahoo disclosed three massive data breaches compromising more than one billion customer accounts. And, companies exploring M&A today would be wise to consider a recent example from April 2020. A pending merger had 5% of its total purchase price set aside to cover the potential fallout from a ransomware attack.

For many companies, the new normal will be about enhancing their market position by acquiring new assets or divesting existing ones. New data insights from IBM’s Institute for Business Value (IBV) suggest risk and security concerns, as well as opportunities generated by enhanced cyber resilience, are some of the most important financial considerations in any M&A deal.

Opening Business to Risks During Mergers and Acquisitions

More than one in three executives say they have experienced data breaches that can be attributed to M&A activity during integration.

Highly sophisticated threat actors target M&A activities because they offer the potential for short-term and long-term rewards. When publicly held companies are involved, the resulting media coverage can increase the chance that threat actors will seize the opportunity to attack. With operations in transition, high-value data is especially vulnerable.

Doing Due Diligence

More than half of companies wait until due diligence is completed to perform cybersecurity assessments.

Figure 1

While it’s critically important that potential liabilities are identified and accounted for in M&A deal valuation — and reflected in purchase, sale, and transition service agreements (TSAs) — most companies wait until late in the deal lifecycle to research and identify potential cybersecurity and data privacy risks and liabilities (see Figure 1).

Get Cybersecurity Leaders Involved

There are clear benefits for involving cyber risk and cybersecurity leaders earlier in the M&A lifecycle.

Of all the respondents, 32% reported having sophisticated M&A capabilities and achieving better outcomes from their M&A activity. Of these, almost 60% engage CISOs and information security teams earlier in the M&A lifecycle, during acquisition planning and screening of potential targets.

Security experts should be embedded in the corporate M&A process and play a key role in all its phases. Failure to understand how a merger or divestiture impacts operational risk exposure detracts from future value realization.

Calculating Risk During Mergers and Acquisitions

Cyber risk and cybersecurity assessments should be factored into target valuations.

Figure 2

Premiums are often paid to acquire a business, so it’s critically important that potential liabilities are identified to keep the premium in line with overall value. On average, companies devote up to 7% of their total annual revenue toward executing M&A activities, more than 80% of which is spent on the acquisition and post-close integration phases (see Figure 2).

Factoring In Security Considerations

Companies with mature M&A practices integrate risk and security considerations into their strategy, planning and valuation activities. Most notably, they analyze and quantify cyber risk factors and cybersecurity vulnerabilities. These organizations develop currency-adjusted cyber risk models that describe the impacts of potential financial and reputational risks. Armed with knowledge, these organizations are in a powerful negotiating position because they have the freedom to step away from the table. If a cybersecurity issue or potential liability found during screening (pre-acquisition) is significant enough to disqualify a target, this translates to a substantial operational cost avoidance.

In our experience, there are a number of reasons why companies delay or disregard engaging security experts during M&A. In some cases, it’s attributable to inexperience with the complex M&A lifecycle. In others, there may be a desire to limit the number of people with knowledge of an impending merger. Restricting “line of sight” to a potential merger is understandable during the pre-acquisition phase. However, excluding risk and security domain experts during deal valuation, negotiations and due diligence is problematic. Security and compliance issues can present large potential liabilities that impact the basis for a deal.

To learn more about how to quantify security risks within your M&A deals, register for our webinar.

For more insights, including recommendations for each phase of the M&A deal lifecycle, check out IBM’s new benchmark insights report Assessing cyber risk in M&A — Unearth hidden costs before you pay them.

Register for the webinar

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…