Mergers and Acquisitions (M&A) are a popular strategy for companies looking to expand their footprint and increase opportunities. The total number of M&A deals from June 1, 2020 to June 30, 2021 was 16,672. That was up from 13,446 the twelve months prior. There are many reasons for companies to pursue M&A strategies such as achieving greater economy of scale, attaining greater market share, geographical diversification, or the acquisition of new technology. It is important to note in terms of security, an acquiring company inherits any existing cybersecurity vulnerabilities, incidents, and resulting liabilities along with the beneficial assets that are being purchased. Sometimes poor security history can outweigh any potential perceived benefit.
Cybersecurity Audits are now Standard Practice for M&A Transaction
M&A transactions can take months or even years to complete. The acquiring company must perform their due diligence to gain a complete understanding of the target organization. A cybersecurity audit is essential to identify the security controls and intrinsic vulnerabilities of the target enterprise. An undiscovered data breach can not only cripple the deal but might introduce potential liability that involves both a financial burden and/or reputational damage. Audit questions to consider can include the following.
Does the target company
Conduct regular risk assessments, vulnerability scans, and penetration tests of its systems?
Have a documented cybersecurity strategy that is enforced from the top-down and across the entire organization?
Have a written Incident Response Plan (IRP) that is regularly tested and rehearsed?
Render compromise assessments on itself to identify any vulnerabilities?
Have a recent security architecture review to assess the strength of their infrastructure?
Have a program in place to train its employees on privacy and security best practices?
According to a recent (ISC)2 study on M&A and Cybersecurity, study participants unanimously stated that cybersecurity audits have now become standard practice for M&A activity. Survey participants listed cybersecurity considerations as a major factor in determining the viability of a deal. In total, 77% reported making M&A recommendations based on the strength of an existing cybersecurity program.
A Poor Cybersecurity History Can Tarnish a Deal
A company’s cybersecurity history can negatively hamper M&A interest for years to come. According to the mentioned study, half of the survey respondents agreed that the discovery of previously undisclosed breaches would derail a deal.
The acquisition of Yahoo by Verizon back in 2017 for $4.48 billion nearly fell through due to two data-breach incidents that occurred during the negotiations. The first attack involved the personal data of some 500 million users and included unencrypted passwords. Login credentials and personal information were also compromised for nearly 1 billion users in the second attack. In the end, Verizon chose to go ahead with the deal at a reduced purchase price.
Another example involves the former acquisition of the luxury department store chain Nieman Marcus. On October 25, 2013, a Canadian group completed an acquisition of the retailer. What they didn’t know was that a cyber incident had taken place as early as July 16, 2013, in which malware was injected into the company’s payment-processing system. The incident would eventually compromise the data of 350,000 customer payment cards. Nieman Marcus became aware of the fraudulent use of those payment cards on December 17, 2013. On January 10, 2014, it publicly disclosed the incident. In 2017, it eventually paid $1.6 million to settle a class-action lawsuit filed on behalf of those whose card information was exposed.
Cybersecurity Can be an Acquired Asset
It is important not to view cybersecurity as a liability in terms of M&A activity. In the mentioned study, 95% of survey respondents considered cybersecurity programs as a tangible asset while 63% considered security tools to be general assets. Assets include a company’s cybersecurity infrastructure, risk management policies, and training programs. In fact, 82% stated that the stronger a company’s cybersecurity infrastructure is, the higher assessed value of the organization. With 50% of companies being impacted by ransomware in 2020 according to a Cisco study, it is understandable why a company’s cybersecurity expertise can be highly valuable to many other companies today.
What Cybersecurity Due Diligence Involves
The occurrence of a cybersecurity incident doesn’t necessarily deter a merger or acquisition. The way a company dealt with a cybersecurity incident proves far more important. How the company handled the aftermath of the breach and what they did to fix the vulnerabilities is far more important in the end. One must assess how the breach occurred and whether the company performed its duty of care in attempting to prevent such an attack in the first place. A company may be held liable for an attack that it could have prevented had it taken appropriate measures that are deemed to be reasonable. According to HALOCK partner and Board Chair of the DoCRA Council Chris Cronin, in litigation, a demonstrated duty of care shows the absence of negligence which is a determining factor in lawsuits. A growing number of security frameworks are now available that can help organizations define what “reasonable security” actually. Chris recommends two resources that business can use to establish ‘reasonableness.’
Due Diligence is Key.
The Sedona Conference Commentary on a Reasonable Security Test offers guidance with a reasonable security test designed to be consistent with models for determining reasonableness that have been used in various other contexts by courts, in legislative and regulatory oversight, and in information security control frameworks. As a contributing editor for the Reasonable Security Test, Cronin describes the commentary benefits as “demonstrating its universality” in those domains as well as being a “useful analytical tool for management who plan security priorities, budgets, tactics, and resources.”
The Duty of Care Risk Analysis (DoCRA) standard provides principles and practices for analyzing risks that addresses the interests of all parties potentially affected by those risks. DoCRA brings together a company’s mission, objectives, and obligations to address all perspectives from IT, legal, C-Suite, board of directors, customers, and public to analyze your risk profile.
Overall, a best practice is to have an independent, outside partner perform a risk assessment using Duty of Care Risk Analysis (DoCRA) during the M&A evaluation process. Fully evaluate the inherent risks of a proposed acquisition and determine the effectiveness of the current security controls, policies, and strategies to secure the target organization’s assets.