Light Dark
October 8, 2019 By Adeeb Rashid 3 min read
CISO
Data Protection

Mergers and acquisitions (M&As) are a critical part of doing business in our modern, hypercompetitive world. Of all the factors that go into the valuation of a deal, cybersecurity occupies a prime place of importance. Ignoring it is a recipe for disaster.

When an enterprise overtakes or acquires another one, it takes over that company’s assets and liabilities as well. The valuation of the deal accounts for these factors. Nowadays, taking over a business entails absorbing its digital operations too — which means potentially opening the parent organization to cybersecurity threats and the risks associated with acquired applications and information systems.

That’s why it’s so crucial for business and security leaders to perform due diligence when finalizing M&A deals. Failure to do so can jeopardize the deal’s anticipated value. On the other hand, early detection can go a long way toward resolving cybersecurity issues in time.

Is Cybersecurity on Your M&A Due Diligence Checklist?

Of all the risks associated with M&A deals, cybersecurity issues rank right at the top. Besides violating rules and regulations, cyberthreats erode the assets of the merged entity, thereby damaging its reputation and derailing its growth in the market.

An acquired entity always endeavors to maximize its returns in every way. At the same time, the acquirer’s network needs to ensure adequate valuation of the deal so that it becomes a sustainable asset. Investment in cybersecurity is, therefore, a critical factor.

Cybersecurity is crucial in all kinds of businesses; it is not limited to tech establishments alone. For example, a restaurant chain is as vulnerable as an e-commerce retail store because consumers use their credit cards for payment. A data breach in either industry can cause enormous losses to consumers and, ultimately, the business.

The vulnerabilities present in untested or unreliable systems acquired as part of M&A, if exploited, could potentially:

  • Affect the day-to-day operations of the merged entity and availability of information systems;
  • Lead to loss of finances, regulatory fines and/or legal repercussions;
  • Damage the morale of both new and existing employees after a M&A has taken place; and
  • Result in reputational damage to the enterprise.

Cyberattacks can compromise much more than just credit card data. For example, an attack on a pharmaceutical producer could compromise a well-guarded formula for a drug, the breach of a manufacturing entity could compromise product designs, and an insecure distribution network might put transportation models at risk. Simply put, cybersecurity issues affect every business model.

How a Data Breach Can Derail a Merger or Acquisition

Data breaches represent one of the greatest risks companies face during an M&A deal, and a breach can reduce the value of an agreement considerably — in some cases, to the tune of more than $350 million, or about 7 percent of the original price.

If a malicious actor hacks into a company’s network, the threat could remain undetected for a long period of time, even when sophisticated cybersecurity systems are in place. When this happens, the merged entity’s security team may not discover the breach until after the M&A deal has closed. That’s why it’s so crucial to conduct a thorough cybersecurity assessment before merging with or acquiring a company.

Even if a company’s bottom line is unaffected by a security lapse, its reputation could take a severe hit. It may be impossible to know just how much data was lost in a breach and, therefore, to assess the resultant damage. What is certain is that data breaches erode customer trust.

Many enterprises have cyber insurance coverage, but whether a firm will actually cover a data breach is a matter of conjecture. Even if insurance does offset the costs associated with a breach, companies need to practice due diligence to keep prices from falling during a M&D deal.

M&A Cybersecurity Assessment Checklist

Business and security leaders should take the following preventive and detective measures to ensure due diligence and vigilance during a merger or acquisition:

  • Conduct a third-party cybersecurity audit of the information systems being acquired to detect any vulnerabilities and assess the current state of cybersecurity.
  • Take careful stock of the organization’s technological assets and liabilities before completing acquisition formalities.
  • Take advantage of third-party services to assess the cybersecurity posture and maturity of the organization being acquired.
  • Proactively assess and monitor the networks, applications and other systems on both the acquirer’s and the seller’s side.
  • Assess the resilience posture of the target acquisition’s third-party vendors.

It is impossible to achieve total, fool-proof protection from enterprise security threats, especially with increasing pressure and competition in the marketplace prompting companies to join forces. However, there’s no excuse for cutting corners on your due diligence when, depending on the size of the companies and severity of any vulnerabilities discovered before, during or after an M&A deal, up to hundreds of millions of dollars — not to mention your customers and reputation — are at stake.

 |  |  |  | 
Adeeb Rashid
Security Strategy, Risk and Compliance Consultant, IBM

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature