ReportTitle_CS.jpg

Cyber hygiene: identifying and defusing risks in M&A

October 2021  |  COVER STORY | MERGERS & ACQUISITIONS

Financier Worldwide Magazine

October 2021 Issue

Over the past 10 years or so, increasingly complex cyber security threats have emerged during the M&A lifecycle, the nature and severity of which is causing mounting concern among dealmakers.

Essentially, every stage of an M&A transaction – be it strategy, screening, due diligence, transaction execution or post-merger integration – is potentially at risk of a cyber attack which, if not identified and defused, could harm both the acquirer and target, and perhaps even derail a deal entirely.

What is for sure is that cyber security risks are increasing in frequency and impacting businesses of all sizes, across all sectors and jurisdictions. According to PwC’s 21st ‘Annual Global CEO Survey’ in 2018, 63 percent of all US chief executives stated that cyber threats were something they were extremely concerned about. Many went as far as to say that it was the number one threat to business growth.

Additionally, a study carried out by West Monroe reveals that more than 40 percent of acquiring companies discovered a cyber security problem with an acquisition after a deal went through – an indication that the cyber due diligence being carried out is not as robust as it should be.

Compounding this lack of robustness is insufficient knowledge and expertise. Analysis by csoonline.com found that around 32 percent of businesses simply lack available skilled workers who have the skills and talents necessary to identify and highlight potential cyber security issues.

In terms of the reputational damage engendered by a cyber breach, in the US, a survey by PCI Pal found that 83 percent of customers will stop spending at a business for several months after a breach has taken place and 21 percent will never return.

“As M&A practitioners, we are trusted as custodians of the brand, customers, shareholders and investors for both parties,” says Robert Gibney, chief financial officer (CFO) at SecurityScorecard. “As such, we need to know what the potential impacts would be if there was a threat to either party’s business prior to, during or after the close of an M&A deal.

“Prior to this year, cyber risks were unlikely to be part of the due diligence checklist,” he continues. “For a long time, cyber risks were siloed to the office of the chief information security officer (CISO), but CFOs and boards of directors also need to have a strong understanding of the business impacts as they evaluate growth opportunities.”

Moreover, these impacts can be considerable. The reality is that cyber security hygiene almost always has a material impact in terms of resources, fines, associated costs and brand damage; therefore, it needs to be uppermost at every stage of an M&A transaction.

“Most acquirers have very little visibility beyond subjective, potential and often point-in-time third-party risk scores that do not paint an accurate picture of active risks and compromises that plague a potential acquisition,” contends Sanjay Raja, vice president of marketing at Prevalion. “This causes enormous risk and cost to an acquiring company that must be reflected at every stage in order to adjust the true value, terms and agreement upon an offer and acceptance.”

To some extent, undertaking M&A requires dealmakers to overcome a fear of the unknown. “The security state, processes and other data provided, especially when it comes to a vulnerability assessment or threat detection report, simply provides a snapshot view that is often incomplete, has visibility gaps and is quickly out of date,” adds Mr Raja. “This leaves a lot of unknowns into the true state of the company to be acquired.”

One of the most infamous examples of how stiff the penalties can be when a data breach comes to light is the 2017 acquisition of Yahoo by Verizon. To summarise, Verizon purchased Yahoo for $4.5bn. However, after the M&A process was executed, Verizon discovered that Yahoo had experienced a data breach. As a result, Yahoo lost $350m of its purchase price and had to pay a $35m fine imposed by the Securities and Exchange Commission (SEC) on security fraud charges.

Additionally, Yahoo then had to pay an extra $80m to its shareholders after many of them filed lawsuits against the company for failing to look after their data properly. “The importance of due diligence on cyber security risk is critical as the negative impact of Yahoo’s compromises and infection severely impacted the transaction after the fact,” says Mr Raja. “The key is that Verizon admitted the terms of the deal would have been much lower had it known Yahoo’s security challenges.”

The anatomy of risk

Clearly then, cyber risk is real throughout the M&A lifecycle and no business is immune. An awareness of the types of risk that can threaten a deal is therefore key, as is a due diligence process that can reveal cyber-related strategic deal issues, hidden costs and operational risks at an early stage of a transaction.

Surprisingly perhaps, many M&A practitioners have no clear sense of the overall magnitude of the risk they face from cyber attacks and data breaches.

According to 2020 analysis by the Cyber Leadership Institute, there are several factors that served to spur the rise in M&A-related cyber risk, with the five listed below particularly significant due to their complexity and implications.

First, impersonation and compromise. Cyber criminals have historically exploited the hysteria that characterise M&A activities to target key staff with sophisticated phishing attacks – a risk highlighted by the Australian Cyber Security Centre (ACSC), which cautioned: “During major organisational change, staff may find they are under pressure to accept the validity of requests for data, payment or access from people they do not know, and whose identity and authority cannot easily be identified.”

Second, fear and concealment. Target organisations, as illustrated by the acquisition of Yahoo by Verizon, may be tempted to conceal material cyber security issues in their environment, fearing such information may undermine their deal prospects or significantly lower valuations. According to the Cyber Leadership Institute, M&A targets often represent the mythical trojan horse for acquiring entities.

Third, legacy systems. Integrating dissimilar systems and technologies increases digital complexity. Several companies remain saddled with jumbles of complex, aged and proprietary applications. Complex digital environments are inherently harder to protect as additional technologies may require unique sets of skill sets, as well as additional patch windows, hardening guidelines and vulnerability scanning.

Fourth, market manipulation. M&A negotiation strategies, pricing and associated sensitive information, such as the target company’s growth strategies or financial projections, taxation issues, contracts, customers, IP and key employees, are a high target for criminals who use them to gain from illegal market manipulation. If this sensitive information falls into the wrong hands, it may dent deal prospects or result in serious regulatory issues.

Finally, insider threats. Target company employees may become anxious about the fate of their jobs and be tempted to export high-value information such as product development plans, proprietary algorithms and client confidential documents to external drives or public cloud environments. This risk is higher for businesses whose prospects depend on the diligent protection of IP, such as high-tech firms. Thus, M&A heightens insider cyber security threats.

“The most common risks from a cyber security perspective are business disruptions, data compromise and third party or supply chain attacks,” suggests Christina Powers, director of cyber security at West Monroe. “Business disruptions, which can often be caused by a ransomware attack, requires considering how widespread system or data loss will be handled, and if and how business operations can continue in that event.

“A data breach requires understanding the types of data that an organisation is interacting with and what is in place to protect that data,” she continues. “For supply chain attacks, a process should be in place to assess third parties, their cyber maturity and the organisation’s reliance on those parties to perform business functions.”

In the experience of Mr Gibney, the largest risk pertains to human capital, or employees, to be precise. “From bringing personal devices into an organisation, to clicking links in a socially-engineered email, the people who work at a company are always the first point of entry for cyber criminals,” he asserts. “That is why training and education programmes and policies that teach best practices are so important.”

Assessment and actions

Surprisingly perhaps, many M&A practitioners have no clear sense of the overall magnitude of the risk they face from cyber attacks and data breaches. According to the Institute for Business Value’s (IBM’s) 2029 report ‘Assessing cyber risks in M&A’, more than half of companies engaged in an M&A transaction do not perform cyber security assessments until after due diligence is completed.

Knowing how to assess risks and take appropriate action is therefore key. In its report, the IBM outlines three key phases of an M&A transaction where thorough cyber risk assessments should be carried out.

Phase 1 is pre-acquisition. A security team can take a variety of actions to review the security posture of potential targets as early as target identification and screening. Ideally, security representatives should work with the corporate development team to define a clear process for the commitment of security expert resources. This can help strengthen protection, assessment and regulatory compliance in each activity in the M&A lifecycle, starting with strategic planning.

Phase 2 is acquisition. During due diligence, companies will want to identify potential security issues that create financial exposure, compliance issues, and other risks. Assessing the target’s security posture, specifically current security practices and operational vulnerabilities, is crucial to understanding the level of potential risk. In addition, suppliers and partners should be assessed, as a company’s entire supply chain is a potential source of risk.

Phase 3 is post-acquisition integration. For many companies, cyber security planning takes place late in the M&A lifecycle, so risk and security concerns, as well as potential cost savings, can be easily overlooked (or undervalued) unless they are translated into financial terms and intentionally factored into deal valuation models. Although it may be difficult to quantify risks in monetary terms, finding data or compliance issues is generally least costly when found prior to deal close.

“An acquirer should have a partner or dedicated team performing cyber security due diligence,” adds Ms Powers. “This group should understand the buyer’s acquisition strategy and overall management approach to identify risk and propose prioritised remediation activities, including estimated effort and investment.

“Additionally, before announcing a transaction, companies should increase cyber resiliency and the ability to recover from a potential attack as much as possible, including backing up critical data and system state to an offline repository,” she continues. “Threat actors keep an eye on deal announcements and know when a company is being acquired.”

Moreover, in Mr Raja’s view, acquirers need to move beyond vulnerability assessments that are overly focused on ‘potential’ risks but do nothing to assess actual threats. “Real-time information must be attained as the state of compromise can rapidly change,” he explains. “What is needed is the ability for acquirers to monitor actual compromises from the outside, to determine whether an attack, that may be unknown to them, is active due to gaps in endpoint or internally-focused threat detection programmes.

Beyond ‘tick the box’

Today, the uncomfortable reality across the business environment is that every industry sector is vulnerable to cyber security breaches – a state of affairs that requires an end to entrenched ‘tick the box’ mentalities in lieu of solutions to embolden cyber security posture.

“Leveraging external continuous breach monitoring as a tool to assess a potential acquisition is the next, more concise and evidentiary solution for assisting acquirers through the entire M&A lifecycle,” contends Mr Raja. “This new category of cyber security solutions is focused on a zero-touch, externally focused monitoring of malware that has gone undetected by traditional extended detection and response (XDR) solutions and provides more context to active threats that have bypassed current controls and detection methods.”

For Mr Gibney, another element likely to embolden cyber security oversight is regulatory filings. “When large businesses are acquired, there are regulatory compliance filings, so governments may start implementing cyber security risk profiles to M&A and ongoing operating filings,” he suggests. “In the US, recent executive orders show a desire for the federal government to begin looking more aggressively at cyber security postures.”

Across the M&A landscape, the attitude to cyber security is shifting from a traditional focus on data protection and compliance obligations toward alleviating the potential for a major cyber security event. “Previously, cyber due diligence was more ‘tick the box’ and was compliance-related,” concludes Ms Powers. “Now, with cyber threats such as those posed by ransomware having the ability to paralyse a company’s business operations, it is more critical than ever for companies to fortify their cyber hygiene.”

© Financier Worldwide

BY

Fraser Tennant

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.