The Costly Risk Everyone Forgets About in M&A
Overlooking cybersecurity during due diligence could lead to a rude awakening.
Most professionals are aware of the threat of a cyber attack that comes with the move toward a fully integrated digital workplace. Yet few seem to fully grasp just how vulnerable their organizations are, or where their major soft spots lie. Compounding this issue is the fact that organizations are often slow to recognize when their systems have been penetrated. The average time it takes for a company to identify a breach? One hundred ninety-seven days — that’s more than six months.
This kind of lax oversight can lead to a rude awakening for organizations involved in a merger-and-acquisition (M&A) transaction — and especially so when an issue is found late in the process. By one account, 40 percent of acquiring companies reported discovering “a cybersecurity problem during the post-acquisition integration of the [targeted] company.”
While due diligence in an M&A has traditionally centered on financial, organizational structure, operational, or contractual risks, assessing cyber risk is now just as vital. Overlooking it not only increases risks and liabilities for the merged entity, but it can impact the transaction price.
Taking Cybersecurity Risks Seriously
Why does cyber risk often get overlooked in due diligence? One reason is that board members and executives across industries often lack cyber risk expertise and management. If decision makers are unable to adequately assess and address their companies’ own cybersecurity, it’s likely they will give it short shrift during M&A.
No matter which side of a deal your company occupies, the general threat landscape calls for a comprehensive cybersecurity program to ensure your organization is properly protected. At a minimum, an assessment should include determining if industry-standard best practices are being met and identifying and assessing existing vulnerabilities so that appropriate steps can be taken to develop a robust security posture.
Simply put, you want to assess controls already in place regarding your people, processes and technology, as these all affect the value and viability of an organization.
Organizations must also understand their unique cyber risk profiles, which involves mapping the probability and severity of various cyber threats to a specific company. Numerous factors make each organization distinct and having a cybersecurity program assessment performed helps determine your company’s cyber risk.
Assessing cyber risk should not be limited to the two entities involved in an M&A, however. Any party that is part of a digital ecosystem with access to networks, systems or databases of either entity should be considered. Cyber criminals can exploit vulnerabilities at the lowest rung of the supply chain — these are the smaller, third-party vendors that are often under-protected — to gain entry to the networks of the M&A entities.
At a minimum, companies need to ensure that their third-party vendors have taken steps to secure data. That’s especially so for the larger consumer-facing organization in an M&A since these entities are more likely to be targeted by cyber criminals. In the end, any organization’s cybersecurity infrastructure is only as strong as its weakest link.
Address Your Vulnerabilities Now
Proactively addressing vulnerable organizational areas can help improve your posture and send a message of accountability to the acquiring or targeted company in an M&A. These three areas call for special attention.
1. Brand and Reputation
A single cyber attack can break the trust of both the investor and the customer, inevitably damaging company brand and reputation. Cyber attacks often attract negative press, further ruining customer trust in a company's product and services. However, having a tested and effective incident response plan in place ahead of time will limit potential damages and improve customer trust if the response is conducted in a timely and proactive manner.
2. Private/Proprietary Data
Cyber criminals can lay dormant in a system for years, collecting data without anyone knowing. Once two companies become one and operate under the same network, the cyber criminals now have access to additional information, databases and systems. This can be avoided by conducting a cybersecurity assessment that is performed by an independent third party before the involved parties agree to a deal. Understanding what risks exist and if they are acceptable or not in advance will prevent a myriad of potential problems in the future.
3. Information Systems
The aftermath of a cyber attack can be devastating, especially if the data lost in the attack is sensitive in nature, such as personal, health or financial. The average cost of a data breach for U.S. companies is $7.91 million, more than enough to put certain organizations out of business. Companies can avoid these costs by completing an audit of their information systems pre- and post-merger/acquisition, ensuring existing vulnerabilities are secured.
The costs associated with a cyber attack continue to rise and can linger for several years after the actual incident. Beyond the M&A, however, securing company data, finances and information systems requires incorporating cybersecurity risk factors as critical components of operations.
© Copyright 2019. The views expressed herein are those of the authors and do not necessarily represent the views of FTI Consulting, Inc. or its other professionals.
Senior Managing Director