By Lawrence Perret-Hall, COO at CYFOR Secure
It’s been a tough year for mergers and acquisition (M&A) deals, but the gloom may be lifting. Industry watchers and business leaders predict activity will bounce back in 2024, with 94 percent of European financial services CEOs expecting to pursue strategic transactions in the coming 12 months. They know dealmaking is fraught with risk for both buyers and sellers. But one factor that is often underestimated is the potential impact of cyber risk on M&A outcomes.
Given the financial and reputational stakes involved, relying on self-disclosure to inform cyber risk is not enough. That’s why business leaders need to carry out comprehensive cybersecurity risk assessments to make better informed decisions. Anything less might lead to a heavy dose of buyer’s remorse.
Due diligence is a must
Although global dealmaking is some way from the highs of 2021, there are reasons for cautious optimism in the year ahead. Gartner claims that well capitalised enterprises may swoop for smaller tech-focused startups struggling to raise VC funding in a new wave of “techquisitions”. Moreover, Bird & Bird argues that both buyers and sellers are “prepared to deal” in order to scale their business and/or enter new markets.
Those boards responsible for making such decisions are well versed in the typical legal, financial, and operational risks that M&A deals can throw up. They also understand the importance of due diligence in uncovering these risks early on in order to make better informed M&A decisions, but cyber risk is still too often overlooked despite the serious impact it can have.
Acquiring companies need to look more carefully at target businesses: serious deficiencies in their security posture or unidentified breaches could have a major impact on deal price, or whether a deal can even be done. Even if a transaction has already gone through, risks should be identified as quickly as possible so remedial steps can be taken to minimise any long-term erosion of deal value.
What might be wrong?
Many organisations sport a blend of legacy on-premises systems and modern, distributed cloud architectures and, combined with a fast-evolving threat landscape, this can lead to cyber risks that even a target company may be unaware of. From cloud-native software development, to AI, Internet of Things, data analytics, and even home working laptops, countless modern investments expand the potential attack surface. And risks extend beyond an organisation’s network: many have opaque supply chains which are often left unmanaged. One 2022 study claims two-fifths of global organisations feel their cyber attack surface is “spiralling out of control”.
Threat actors are primed and ready to take advantage. Tapping a cybercrime economy worth trillions annually, they target organisations at their weakest points. That could be the individual employee, susceptible to phishing links while working on an unprotected laptop at home, or it could be a remote desktop protocol (RDP) endpoint misconfigured to allow a brute force password cracking attack. They are spoilt for choice.
The cybercrime underground provides a readymade marketplace for vulnerability exploits, stolen credentials, and even easy-to-use “as-a-service” offerings which lower the bar to entry for non-technical threat actors. With relatively little skill, a budding cybercriminal can gain or purchase access into a corporate network and move laterally unseen until they find sensitive data to steal and/or encrypt for ransom. That’s why 59 percent of mid-sized UK firms and 69 percent of large businesses experienced a breach in 2022. And it’s why 2023 is already a record year for publicly reported US data breaches.
Some cautionary tales
Cyber due diligence is essential to root out serious problems. It could be widespread vulnerabilities or misconfigurations that need fixing, or dangerously low levels of staff security training and awareness. It could be the presence of malware or even threat actors inside the network. Or it may be an undiscovered and/or undisclosed data breach. Any of these issues and a range of others may expose the acquiring company to serious financial, reputational, and regulatory risk.
Nor are these merely theoretical risks. Consider the infamous Verizon acquisition of Yahoo, when the discovery of historic data breaches at the internet pioneer led Verizon to negotiate down its purchase price by $350m, or around 7% of deal size. Marriott International was not so fortunate when it acquired Starwood Hotels in 2016: its due diligence failed to spot a 2014 mega-breach at the firm which, when finally revealed in 2018, led to major regulatory fines, negative publicity, and class action lawsuits for Marriott.
How to mitigate M&A risk
So how should acquiring firms proceed with their cyber due diligence process? How deep they want to peer into a target organisation will depend on risk appetite. But at a bare minimum, things like vulnerability assessments and penetration testing can provide useful insight into the cyber-resilience of an organisation’s internal and external networks, devices, and assets.
More broad-based risk assessments may help to uncover a target company’s approach to breach management, disaster recovery, business continuity, and compliance with industry regulations and standards like GDPR or ISO 27001. Dark web monitoring allows organisations to see if corporate data or credentials from a target company have been breached and put up for sale.
With this context, an acquiring company will be able to make better informed decisions. It may mandate that a target company remediates any serious issues before transaction, it may want to reprice the deal, or even walk away altogether. Even after a transaction has been completed, due diligence can provide critical insight to reduce risk exposure and support compliance programmes as quickly as possible. A virtual CISO service can be invaluable here in helping the acquiring company to develop relevant policies and awareness.
Cyber risk is an increasingly important business risk. Organisations that understand this will be best placed to make a success of their M&A deals. But boards that continue to dismiss IT security as a mere cost centre may have some nasty surprises in store next time they go shopping for a new acquisition.