Security experts agree that companies need to consider their own internal security and increasingly worry about the security of their partners. Given numerous examples of catastrophic security risks from third-party relationships, like the Experian data breach with T-Mobile, the merger and acquisition industry needs to get caught up. As a company considers a merger or acquisition, understanding the security preparedness of a target is now at the board level.
A recent article by Taylor Armerding entitled “On the hunt for merger or acquisition? Make sure your target is secure” discusses this topic in detail. Amerding quotes a survey of organizations involved in M&A activity and while a large majority think that cyber security risks can affect a pending deal, most believe cyber security is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.
Why hasn’t the increased awareness of cyber risks changed the M&A process?
Most M&A activities focus on what is being acquired so tend to look at financials, intellectual property and other valuable assets. An acquirer needs to understand the assets and liabilities it is acquiring, so will look at lack of adequate security as a business risk, just as leases, debt and potential litigation are liabilities. Since lawsuits, lost revenue, brand damage and lost customers can arise from a data breach, minimizing that risk through cyber readiness will begin to figure into the M&A process.
Is the level of cyber risk of a target or acquiring company as important as its financial position?
Yes. One of the most common reasons for one company to purchase another is to acquire intellectual property. Most cyber-attacks today target intellectual property or other sensitive company information. If I was acquiring a company, I want to ensure the risk is minimal that someone is already inside stealing sensitive data or there is a risk of a data breach because the company cannot adequately protect its digital assets from unauthorized access.
Why do most due diligence questionnaires focus more on past breaches than future threats?
The assumption is that if a company had a data breach, it has taken the necessary steps to prevent future threats. This is only likely if the company constantly assesses its cyber risks and is always one step ahead of the threat; many companies do the bare minimum to protect themselves. Unfortunately most information security is reactive and looks to protect systems and networks, rather than sensitive information. If a company protects its data through strong encryption and permission control, it is always in control of the sensitive information and can minimize future threats.
How should companies involved in M&As conduct due diligence regarding cyber security?
Since most malicious insiders and external hackers want to steal sensitive data, the acquiring company needs to validate the processes, procedures and technology in place to ensure that only authorized people can access the data. This requires a layered security approach that encrypts the data and ensures strong access control, regardless of its location. Running an independent security assessment and penetration testing, much like you get a home inspection before purchasing a house, would uncover potential vulnerabilities and recommend measures to remove them.
Photo credit IMF