Rethinking M&As In an Era of Cyber Risk

For companies that use acquisitions as part of their growth strategies, the target company’s technology has usually been a late-stage consideration — something to look into after a deal has been announced or completed. While it might not have been ideal if a target had outmoded or deficient infrastructure, it wasn’t a deal-killer.

But in an era of cyberattacks, technology infrastructure can be exactly that — a deal-killer.

Cracks in companies’ security walls, whether those of the buying company or its target, can lead to costly problems at every stage of a transaction. In recent years, merger and acquisition (M&A) discussions have even been disrupted by cyberattacks, in some cases before the negotiations became public, according to the FBI.[1] And if an acquired company’s vulnerabilities aren’t discovered until after the deal has closed, any security issues, such as malware or phishing emails, can quickly become the buyer’s problem. 

These risks are increasingly being factored into acquirers’ calculations. Gartner recently said that by 2025, it expects 60% of companies to treat cybersecurity resilience as an essential attribute in a prospective partner.[2]

Phase-Dependent Actions 

A security-informed M&A is most easily achieved when acquirers have their radars out, so to speak, at each phase of the transaction. Here are the most important considerations along the way.

Pre-acquisition: CISOs aren’t going to be brought into early strategic M&A discussions. But they can still help in this initial stage. 

• Provide input on cybersecurity to business-side executives. A company’s CISO or head of information security can provide initial ideas to the corporate development team about the best process for assessing a target’s security operating model and when that process should begin. This executive can also help organize any research that’s needed to build a list of potential business partners, without violating rules about insider information. Partnerships, after all, take many forms — not just acquisitions. The company should know what the public record indicates about any prospective partner’s past security performance.

Deal announced: With the acquisition plan public, the need to limit information access is gone. A company’s security experts can and should contribute in areas where their expertise is valuable.

• Perform due diligence. The due diligence period has typically included an examination of contracts, conversations with customers and financial audits. Nowadays, it should also include an examination of the target company’s information security systems and security-related processes. The initial questions in this step will be for the target company’s CISO or head of information systems. But the inquiry should go further, into the target’s supply chain. A vulnerability just a hop or two away could eventually become the acquirer’s vulnerability, too.
  Indeed, cybersecurity vulnerabilities could become part of the negotiation and influence the deal’s price. In an extreme case, such vulnerabilities may become a reason for the acquirer to pull out of the deal altogether. In fact, 35% of risk managers surveyed by IBM said they decided not to proceed with a deal because of the perceived cybersecurity risks.[3]
• Create a cybersecurity road map. Technology integrations or adjustments are unlikely to start before a deal is complete. But a plan that goes into effect on the day the deal closes and includes a timetable for reaching different milestones can be prepared in advance. For some acquisitions, the right plan might be to temporarily maintain completely discrete technology operations. In other cases, integration might start immediately in specific infrastructure areas while other areas remain separate.
  Email security should be a priority on any M&A road map given the volume of both companies’ incoming and outgoing communications. For the same reason, dealing with potentially vulnerable endpoints should also occur relatively early.

Post-acquisition: Once the deal is complete and moves into the post-merger integration (PMI) phase, effective cybersecurity becomes about tactics.

• Secure the combined company’s most vulnerable systems through technology. For branding and productivity reasons alike, many acquirers will want to move quickly to a single domain for their emails. This requires the use of a unified email solution that provides advanced defenses against malware, spam, and other email-based threats.
  It's also an argument for taking advantage of the artificial intelligence and machine learning tools that are now part of some leading email security systems. By using these newer tools, acquirers will find themselves with systems that are continually improving, thereby providing a great return on their investments. 
• Plan for employees and partners who might feel “cast off.” Amid the uncertainty of an acquisition, companies may be concerned about whether employees will continue to do their jobs well. But concerns should also include whether they will become internal threats, either to the company’s reputation or to its sensitive data. Business partners with system access could also pose risks if they sense the deal is going to hurt them. The PMI road map should include tactics for minimizing any risks from within.
• Double down on security-awareness training. Given the role that human error plays in many successful cyberattacks, it’s crucial that a company’s staff be part of the defense. Good training is especially important amid changes, from cybercriminals exploiting a new tactic, to the arrival of unfamiliar productivity tools whose vulnerabilities may not be clear to employees, to staff changes, which are almost always present in an acquisition. Even if the existing company’s staff is well-trained in the telltale signs of spoofs and phishes, the staff of the acquired company may not have the same awareness. Teach them.    

The Bottom Line

M&A activity exposes acquirers to a heightened risk of cyberattack. At some point during a transaction, it won’t just be its own security holes that an acquirer has to plug — the vulnerabilities of the target will also become relevant. A target company’s resilience, or lack thereof, should be part of a deal’s due diligence and determine post-deal changes. Learn how Mimecast’s comprehensive email management software can ensure a smooth transition and minimize the cyber risk during a business combination."

[1] “Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims,” FBI

[2] “Gartner Unveils the Top Eight Cybersecurity Predictions for 2022-23,” Gartner

[3] “Assessing cyber risk in M&A,” IBM