Why M&A Transactions are a Soft Target for Cyber-Attack

Written by

In our digitally inter-connected world, cyber-attacks are seen as one of the most significant threats to businesses and the economy as a whole. The increasing sophistication used by perpetrators makes it plausible that a globally co-ordinated cyber-attack could create an economic meltdown on a scale similar to the 2007/08 global financial crisis.

The M&A market in particular is a perfect hunting ground for cyber-criminals. Annually we see $1trn in deals executed by private equity and corporate businesses. In most deals, pressures to conduct financial, commercial and legal diligence and ensure top-line growth understandably take priority, but this is a unique time when the ‘crown jewels’ of both the buyer and seller’s business are more exposed and therefore more attractive to cyber-criminals.

On the sell-side, the target organization’s financials, plans, employees, salaries, intellectual property, security registers and customer data directly influence the valuation of the asset and the perception of the business within the market. Likewise, on the buy-side, the acquiring organization’s plans, strategies and valuation for the transaction is very attractive to competitors and cyber-criminals. However, risks continue through the lifecycle of the transaction, and potentially into the next transaction. We explore these risks below and discuss how they are best addressed and mitigated.

Diligence, Valuation and Final Bids

The activity leading up to transaction signing is perhaps the most sensitive stage, due to the number of parties involved on both the sell-side and buy-side and the multiple flows of information between these parties, above and beyond the daily course of business. These two factors combined with the aggressive timescales of a transaction can create vulnerabilities that can be exploited by cyber-criminals to get access to commercial data, intellectual property or sensitive company information.

Sell-side teams need to ensure that they have strong information handling procedures and governance mechanisms in place to ensure the information shared maximizes the valuation but limits exposure. During this period of intense activity we would expect organizations to put in place heightened security and monitoring measures to identify suspicious activity at the earliest possible stage and protect the individuals involved against inadvertent lapses.

Buy-side teams should embed a cyber due diligence mind-set in their work to identify security loop-holes and backlogs that could require significant downstream investment or expose their own business. Such a mind-set will also mitigate risks arising from non-compliance of security and data protection regulatory requirements, which typically require significant investment to remediate and are prioritized over a buyer’s immediate plans for the business.

"Comprehensive and iterative security tests during the first 100 days will help identify potential risks"

Day 1 and First 100 Days

The first 100 days post transaction completion is critical to preserving and realizing deal value. A number of activities will be undertaken to separate the business from its parent, integrate it with the acquirer’s business and/or launch the tactical and strategic initiatives underpinning the buyer’s investment thesis. In the worst case the separation or integration will leave gaping security holes that are easily exploited; in the best case two businesses with different security operating models and maturity levels adapt to each other over time.

Given the publicity around the transfer of ownership and heightened risks for cybersecurity vulnerabilities arising from the activities taking place, comprehensive and iterative security tests during the first 100 days will help identify potential risks, weaknesses or oversights in their systems, networks and data before criminals can exploit them. Furthermore, in developing their detailed integration strategy and checklists it is important that organizations incorporate their assessment of the cybersecurity maturity of the target organization.

Exit Readiness

Cybersecurity threats can greatly undermine the timing and success of the sale process. A cybersecurity attack leading up to exit can potentially lead to delays to the process, risk losing reputation and value or in some cases lead to a decision to abort the deal entirely.

In preparation for exit, organizations should be aware of the expectations and requirements of potential buyers and the market, and ensure that the cybersecurity maturity is aligned. Incorporating a cybersecurity assessment as part of the exit readiness will allow time for any potential deficiencies to be addressed, and to identify if market and buyer expectations have changed or are different to the status quo. 

About the Author

Ian McCaw is an executive director in EY's IT Transactions Services team specializing in cybersecurity across the deal lifecycle. Over the last 15 years he has grown three information security businesses, including founding his own firm that was acquired by Deloitte in 2010. This hands-on experience of growing, selling and integrating businesses combined with transforming corporate cyber-defenses gives Ian a unique insight into the importance of cyber in the deal market.

What’s hot on Infosecurity Magazine?