In our modern digital age, cybersecurity is a major risk factor in Mergers and Acquisitions (M&A) transactions but is still routinely overlooked. Acquirer in an M&A deal is at the risk of buying the cyber vulnerability of the target company and assuming the damage and liability from the incidents it suffered prior to the purchase, as well as post-factum as a result of a poor cyber maturity. Post-acquisition discovery of security problems, and even major breaches, is a far too common scenario.
Over a third of acquirers engaged in a Merger and Acquisition transaction said they discovered a cybersecurity problem during the post-acquisition integration of the acquired company.
Cybersecurity is Critical to the M&A Due Diligence Process - a Gartner report
One of the most highly publicized examples of an M&A-related cybersecurity problem was likely Verizon’s discovery of a prior data breach at Yahoo! after having executed an acquisition agreement to acquire the company.
This discovery almost scuttled the deal, and ultimately resulted in a $350 million reduction in the purchase price paid by Verizon, with Yahoo! required to pay a $35 million penalty to settle securities fraud charges alleged by the U.S. Securities and Exchange Commission (SEC) and an additional $80 million to settle securities lawsuits brought by disgruntled stakeholders.
It is critically important for an acquirer to understand and evaluate the extent to which the enterprise is vulnerable to a cyber attack via a detailed due diligence assessment performed by a trusted cyber risk partner.
Equally important, an acquirer must know if the target may have experienced an attack that compromised its high-value digital assets without management’s awareness or clear comprehension of the severity of harm to critical corporate information and IP assets.
Leveraging the results of the above due diligence, the acquirer can negotiate appropriate holdbacks and earnouts, and obtain an accurate view of the risk they are facing.
By 2022, Gartner reports that 60% of organizations engaging in M&A activity will consider cybersecurity posture as a critical factor in their due diligence process, up from less than 5% today.
A bit of an interesting statistic: from the announcement of a deal to the close, the frequency of cyber attacks typically increases by ten to 100 times (McKinsey), since hackers seek to exploit temporary vulnerabilities that can appear as organizations bring their IT environments together, including using previously compromised systems as launchpads into the combined company’s environment, leading to significant financial and reputational damage.
This is precisely why cybersecurity should also be a deliberate focus during post-transaction integration activities, as the reshuffling of resources, as well as technology and infrastructure changes, may inadvertently increase the company's degree of cyber risk.
Finally, employing a holistic and deliberate approach to identifying and managing cyber risks during and after an M&A deal will build a strong foundation of trust and transparency between the acquirer and an acquiree, paving way for successful integration and further growth.