Cyber Risks Impact on Mergers and Acquisitions

The mergers and acquisitions process ostensibly involves a deep analysis of an organization's balance sheet, market share, and other important organizational factors that can make or break a deal. Along with the important financial and organizational metrics involved in these deals, there is another metric that is now just as important as financial metrics - cybersecurity.

This is evidenced by the Verizon acquisition of Yahoo, where Yahoo’s disclosure of two massive breaches in previous years resulted in a $350 million decrease from the original price.

When acquiring a company, the purchasing organization is also acquiring the cybersecurity program and cyber risks associated with that organization. Unexpected cybersecurity issues appearing during the M&A process is not ideal for executives and all personnel involved in the M&A process. Forescout Technologies conducted a recent study of over 2,500 information technology and business decision-makers, and found that 53% of personnel reported that critical cybersecurity issues or incidents jeopardized M&A deals.

These issues are often identified during the auditing process and cause unwanted delays that result in added costs and questions regarding the target organization's value which has significant consequences for the deal process.

This acquisition of cyber risk can be seen as a negative aspect of M&A. However when implemented correctly, a cybersecurity program is an asset in M&A and should be viewed that way.

According to a survey conducted by ISC2, 95% of surveyed M&A professionals considered cybersecurity a tangible asset. This asset goes well beyond the technical stack of the application or service; a cybersecurity program encompasses soft assets such as risk management policies, on-boarding, and off-boarding procedures and, vendor management.

All of these factors are considered to be a part of the tangible asset that is a cybersecurity program. Thus, a strong cybersecurity program can be utilized as a differentiator and value add in the merger and acquisition process.

A proactive approach to cybersecurity is the way forward for organizations looking to take advantage of future M&A activities. Organizations have to remain proactive to avoid any surprises during the M&A process. Undergoing an audit early on in an organization's or products lifespan will pay dividends for potential customers and purchasers: this protects the organization from any surprises during the M&A process as well as protects the purchasing organizations from being completely blindsided by the existing (or lack thereof) cybersecurity program.

Undergoing a cybersecurity audit for the first time by your company’s potential purchaser can lead to a lot of problems with the acquisition process. Proactively assessing your cybersecurity program will help reduce the potential for any surprises in a future acquisition as well as assist organizations with developing good cybersecurity habits at an early stage.

There is an alphabet soup of compliance frameworks that exist for organizations to prove and validate the value of their cybersecurity programs. Frameworks such as ISO 27001, SOC 2, PCI-DSS, HIPAA, and HITRUST are all fairly common frameworks organizations are audited against to prove their cybersecurity practices to third parties.

While all of these frameworks have their strengths and weaknesses, the SOC 2 reporting framework is best suited to allow an organization to display security as a differentiator without being hamstrung by prescriptive requirements that may not be relevant to their organization. A SOC 2 report includes a detailed description of the system that outlines the infrastructure, data, software, people, procedures and more about the system being evaluated.

This information is valuable to a potential purchaser because it provides detailed information and assurance regarding the controls in place at a service organization. An annual SOC 2 examination displays maturity to potential purchasers and customers, demonstrating your organization takes cybersecurity seriously.

Whether your organization is just an idea, or you are in the middle of acquisition conversations right now, cybersecurity is and will remain an integral aspect of your organization. Establishing and maintaining a cybersecurity program enables organizations to reduce risks throughout the life of the company including when it matters most, during an acquisition. It is clear the M&A process will include cybersecurity due diligence, is your organization prepared?


AJ Yawn is a cloud security subject matter expert that possesses over nine years of senior information security experience and has extensive experience managing a wide range of compliance assessments (SOC, ISO 27001, HIPAA, etc.) for a variety of SaaS, IaaS, and PaaS providers.

AJ spent over five years on active duty in the United States Army, earning the rank of Captain. AJ has earned several industry-recognized certifications, including the CISSP, AWS Certified Security Specialty, AWS Certified Solutions Architect-Associate, and PMP. AJ is involved with the AWS training and certification department, volunteering with the AWS Certification Examination subject matter expert program.

AJ graduated from Georgetown University with a Master of Science in Technology Management and from Florida State University with a Bachelor of Science in Social Science.


What’s Hot on Infosecurity Magazine?