Don’t Forget Cybersecurity in M&A Due Diligence

FASB Seeks Cut in Lease-Accounting Costs »

Don’t Forget Cybersecurity in M&A Due Diligence

Traditionally, cybersecurity oversight has been relegated to an add-on check

Tuesday, January 30, 2018

By Kevin Richards for CFO.com

For companies seeking to grow or diversify, mergers and acquisitions make perfect sense. Global activity is accelerating, with Wall Street forecasts indicating an upswing in corporate M&A in 2018 and the U.S. merger market set to clear $1 trillion for the fourth year in a row.

But there is a note of caution. An Accenture Strategy analysis of the 500 largest acquisitions by publicly traded companies found that 45% were struggling to succeed.

A possible clue: As recent high-profile information breaches have shown, having your own front door secured but acquiring a company that leaves the back-door wide open can not only accelerate risk, but also unravel due diligence on financial health or business-process synergies.

Traditionally, cybersecurity oversight in any M&A process has been relegated to an add-on check, with information technology due diligence consisting of a week-long or less review of the technical and tactical details.

That’s far less time and effort than is devoted to due diligence of other business areas. Such limited prioritization can often result in unforeseen or significantly higher integration costs, unexpected legal liabilities from unknown data exposures, and increased enterprise risks. Areas at risk of being overlooked include the following:

Not knowing what you don’t know. It is essential to understand the security capabilities of the company being merged or acquired if the business is to develop the same level of confidence around cybersecurity in the new enterprise. The merger or acquisition will mean inheriting internal and third-party relationships and all the risks associated with these new relationships. These relationships can run into thousands for large companies, so taking into account assumed risk around how information is protected becomes vital.

Where trust ends. Some potential merger targets may keep quiet about breach episodes, out of embarrassment or fear of repercussions, choosing to deal with them alone. Or they may make a partial admission about the breach, but later acknowledge that they’ve under-reporting the true nature of the cyber event. The impact of that breach can be hidden, either deliberately or unknowingly.

Deep in breach history. Protecting intellectual property is one of the most important functions of any chief information security officer, but in a merger and acquisition situation, it can be a deal breaker if trade secrets have already disclosed. Sometimes, the only answer is to undertake a dark web search —unfamiliar territory for many CISOs, making it hard to gauge whether intellectual property has already been disclosed.

Making the right investments in cybersecurity measures is not easy. In the 2017 Cost of Cybercrime Study, Accenture Security and the Ponemon Institute found that many companies may be spending too much on technologies that are less effective at stopping cyber crime.

Of the nine security technologies evaluated, five didn’t yield positive return on investment from the perspective of stopping or reducing cyber crime. With the average annualized cost of a company’s cybersecurity of $11.7 million globally, a 22.7% increase over 2016, a deeper review of the acquisition target could help CFOs understand unknown M&A exposures.

Further, cybersecurity differences between companies involved in a merger or acquisition could lead to unexpected integration costs, increased technology training and support costs, and technologically weak spots in cybersecurity protection capabilities for the to-be-merged organizations.

Moving forward, companies should consider a more robust approach to cybersecurity within the M&A due-diligence process. Three simple steps that can be taken are:

Re-think due diligence. Allow more time to perform cybersecurity activities within the due diligence exercise, which would include performing an independent cybersecurity assessment. That could include a review of the inventory of cybersecurity products and technologies to understand organizational technology differences to inform the integration budget process.
Investigate the extended ecosystem. Take a closer look at business relationships by reviewing data-sharing agreements and corresponding risk assessments. Perform a dark web investigation to determine if customer data, contracts, intellectual property, and other key assets involved in the acquisition, are already inadvertently disclosed. Also, use this effort to attempt to identify potential infiltration to the target enterprise; for example, by botnets.
Capture the past, present, and future. Research breach databases for recent disclosures. Monitor the company’s readiness to key principles of the new, upcoming requirements, like General Data Protection Regulation (GDPR) or other emerging rules. If applicable, review past breaches with an emphasis on remediation activity progress, as well as reviewing any ongoing obligations to any affected parties.

Having a weak cyber infrastructure can cause an uphill climb for any merger or acquisition. Armed with more robust information, acquiring and merging organizations can better manage costs, ongoing exposures, and long-term risks arising from cybersecurity. The additional due diligence has the potential to save tens of millions of dollars within an acquisition or merging transaction — and makes sure that both front and back security doors are locked and bolted.