Founder and CEO of Spider Digital Innovation and a tech entrepreneur with global footprints in Cybertech, Fintech, and Social Innovation.
A fact we can unanimously agree upon is that Covid-19 has struck disaster in just about every industry. Among the many areas of life and business impacted, the pandemic has caused massive chaos in a particular institution: mergers and acquisitions. Even without the threat of economic uncertainty looming over us at large, M&A deals are rather complex, time-consuming and inherently risky.
According to Accenture, deal volume in the first half of 2020 actually dropped down to 49%, with deal value down 22% from the year before. Technically speaking, in assuming the assets and liabilities of the target, the acquirer in the deal absorbs its digital platforms, intellectual property and customer databases. As a result, they end up absorbing virtually any exposure to cybersecurity threats and all compliance risks within the target’s information systems, as well as the expected risks that arise due to the target’s administrative and operational practices.
As the cyber risk landscape develops at an unprecedented rate, especially in the last recent months, it goes without saying that cybersecurity must be a top concern for business leaders. When moving forward with a merger or acquisition, they must be given the same priority level as any financial or legal considerations.
Let’s look at some of the key strategies you can employ when proceeding ahead with an M&A.
1. Attack Surface Assessment
Research on the dark web sponsored by Bromium has found that almost 60% of dark web materials or listings could be harmful to businesses.
Today’s architectural framework of conducting business is shifting largely to include automation. Employing automation to assess company assets is now a necessity, especially since humans can’t accurately audit all the assets within a company.
In order to take account of any blind spots within attack surfaces, an important strategy is to look for whether a company has been victim to breaches in the past and just how frequently they’re allowing their networks to be exposed to bad actors.
Let’s look at a company that suffered major losses because it couldn’t carry out the above. Take the Verizon acquisition of Yahoo in 2017. The valuation of Yahoo dropped $350 million “after Yahoo disclosed three massive data breaches compromising more than 1 billion customer accounts.”
2. Threat Intelligence Reporting
Another extremely effective way to steer clear cybersecurity risks is to keep tabs on the latest industry threats and be knowledgeable of the hidden risks within their networks. When organizations follow the same approach a potential attacker would, they’re better positioned to investigate and prioritize these liabilities.
There are two main intelligence types: closed-source and open-source intelligence. The data availed from these sources can be used to understand how an organization may have been targeted in the past. As a result, it’s important to determine the true nature of risk presented by the business involved in the transaction.
3. Implications Of Remote Architecture
The initial remote nature of work that presented itself due to the pandemic seems to be here to stay. As IT teams implement remote technology, this leaves both the workforce and the organization exposed to a range of cyber risks of a large degree.
A major assessment and an analysis are required as to what IT leadership teams bring to the table to implement secure functioning of this remote environment. The current climate is creating massive pressure on IT to roll out new services to support this shift in business.
In the case that this change is permanent, it calls for new controls to be designed to support it. However, if the change is temporary, this represents a major risk because technologies implemented so swiftly aren’t usually deployed, keeping security as a priority in mind. They require serious risk assessments. This can be seen in the various cases of “Zoom Bombing” that took place in the initial months of the pandemic.
The above three methods are usually general forms of safety that must be undertaken during an M&A transaction. However, to make the process a whole lot simpler, I’ve devised an action guide, a sort of step-by-step procedure to ensure compliance with all cybersecurity measures to be carried out during your transactions. Let’s see what these are:
• Ensure complete inclusion of cybersecurity experts as members of the M&A team as an ongoing operational practice.
• Assess the target’s cybersecurity resilience, such as information on prior attacks, public filings, etc.
• Assess regulatory and compliance requirements of the target being acquired.
• Conduct detailed cybersecurity examinations of the target’s information systems, tools, etc., during due diligence.
• Establish a contingency fund to be held in escrow for possible exposures that may offer after the transaction.
• Conduct a detailed cost of acquisition evolution, including aligning security for basic complex services and other administrative concerns about software license and network access. Cybersecurity costs must be factored into deal valuation terms.
• Consider other engaging parties that offer “brand protection tools,” “penetration testing,” or “risk quantification tools.”
Post-Acquisition And Post-Merge Integration Actions
• Refresh the target and security operating models established during due diligence with recent analysis.
• Maintain high-security vigilance and monitoring of both companies and develop a playbook for potential risks.
• Anticipate M&A-related impacts to the workforce and include these in risk planning.
• Leverage the M&A process to enhance cyber resilience by reinforcing the role of trust in connecting suppliers, partners and customers.
If anything, cybersecurity presents itself to be well infused with what’s considered the new normal. Furthermore, the major implication cyber risks have for M&A is twofold since the data of the company being acquired may not the ultimate target. Instead, it may serve as an expedient way to break into the acquiring company.
Vigilance, it seems, thus, is the buzzword for the future, with risk assessment following close at its heels.