Cybersecurity concerns increase in businesses of all sizes.
Did you know, according to the PwC’s 21st CEO Survey in 2018, 63% of all US CEOs asked stated that cyber threats were something that they were extremely concerned about. Meaning that cyber threats are consequently the number one threat to any kind of business growth?
The issues with cybersecurity risks don’t stop there.
There are no businesses out there that are immune from the fact that merger and acquisition processes can be dangerous in the eyes of cybersecurity. When the transfer of money, ownership, and data is on the line, you can bet your bottom dollar that people with malicious intent are going to be involved, and any potential leak is going to cause problems.
The process of identifying the risks involved in the merger and acquisition process is known as ‘Cyber Due Diligence” simple enough, and it’s one of the most important processes a business can make. Even major online brands that have been established for years have fallen short in this area, whether that’s leaking private customer data or opening their business up to cyber-attacks.
Forbes writes how one report found that 40% of acquiring companies that were involved in a merger and acquisition (M&A) process experienced a cybersecurity issue while integrating the companies and businesses together.
An Example of How Bad Things Can Be
Back in 2017, Verizon bought Yahoo! Media for $4.5 billion. During the M&A, Verizon discovered that Yahoo! had experienced a data breach after they executed the M&A process. As a result, Yahoo! lost out on $350 million of its purchase price and had to pay a $35 million penalty that was created by security fraud charges, a fine issued by the SEC.
On top of that, Yahoo then had to pay an extra $80 million to its shareholders after many of them filed lawsuits against the company for not looking after the data and running their business properly. This is one of the most reputable and infamous cases of a cybersecurity failure in recent history, an expensive one at that.
This is why it’s so important to be aware of the risks that accompany the M&A process, learning what you need to know to counter the threats and ensure the transition operations stay as successful and as secure as possible, which is precisely what we’re going to explore today.
Not Implementing Due Diligence
Just as you would need to apply diligence to the core running operations of your business in areas such as production and health and safety, the same applies to your online merger process and cybersecurity practices.
In the vast majority of cases, cybersecurity issues arise when businesses are conducting the right safe practices that will help protect them when going through a purchase deal. A lot of companies get caught up in the whirlwind of the process and look at figures like the return of investment, and this allows problems to slip through the cracks and cause damage.
This problem can manifest in multiple ways. CSOLINE.com writes that around 32% of businesses simply lack available skilled workers who have the skills and talents necessary to identify and highlight potential cybersecurity issues.
Based on a study carried out by West Monroe Partners, the report also found that more than 40% of acquiring businesses discovered a cybersecurity problem at an acquisition after a deal went through. This is a clear indication that due diligence remains low on both sides of the court.
Issues with this problem, however, are quickly resolved. Firstly, security leaders along the lines of CISO should be involved throughout the deal. Bodies like this have a ton of experience dealing with examples of security failures and know what they need to be looking out for to protect every organization involved.
Hand in hand with this; whether you’re purchasing a business or you’re being sold, you should always contract the services of a third-party organization that can make sure everything security-wise is at an acceptable level.
Manifest Data Protection
During the M&A process, one of the most common obstacles to arise is making sure that data from both businesses are kept safe and protected. At every stage of the process, there’s going to be a large amount of sensitive data being transferred between the two organizations, and if this transfer is anything but secure, it’s going to cause problems.
Lexology writes about the impact that data protection laws will have on transactions within the M&A process, more focusing on the EU’s General Data Protection Regulation (GDPR). They write how “in one of the cases, the buyer was held liable despite the data security incident reportedly taking place prior to an M&A transaction.”
Since this case, the GDPR has stated, along with the Thailand data protection law, that both parties will be responsible for the data protection process of an M&A. In conclusion, fines can be applied to both parties or individually, depending on the specifics of the individual case.
Both organizations need to be responsible for the data protection measures to be implemented. One example of this is using a secure data room. This is essential. Think about all the journalists, magazines, and competition that would love to know what’s going on within both businesses and would do anything to get their hands on an inside scoop.
While a secure data room is the best approach, there’s no way around that; you need to also ensure you’re using a file security system and solution of some description. This way, in the rare case, that someone is able to get through the defenses of your data room, the data is still inaccessible.
Checking the Other Company
If Verizon had never checked Yahoo for their security defects and the security breach was only discovered after the M&A process had been finished, the risk and ownership that came with the security breach would have been on Verizon’s hands. Just like Yahoo had to pay-out to shareholders and settle fines, this would have had to come from Verizon’s pocket.
It is absolutely essential to invest time and resources into checking over the other company you’re buying to see whether any cybersecurity breaches have taken place. You may need to invest in a third-party to carry out the checks if you’re not staffed for it yourself, but it’s an investment that could, very literally, save you millions in the long-term.
The Loss of Reputation
We’ve spoken a lot about the legal sides of the things and how organizations can be hit with fines and settle fees, but what about from a customer standpoint? Of course, any organization would love to keep their cybersecurity shortcomings under wraps, but this simply isn’t legal in the majority of the world, and any major breach during an M&A process would become public knowledge.
What’s more, customers need to be told about a breach, especially if it’s their data that are involved. That being said, if a breach or leak has taken place, this can have a serious impact on the reputation of a business, which is not ideal if it’s a business you’re buying.
Clients and customers can find it very hard to trust a business that has suffered breaches and hasn’t looked after them. In the long-term, this can be a reputation that can be hard to gain back and may result in less business, less revenue, fewer profits, and a reduced customer base.
Business Insights states that a data breach, just one of many potential cybersecurity threats, can result in a business losing more than half their customer base. They claim that “Recent high-profile data breaches in the US, UK, Australia, and Canada have heightened consumer’s caution regarding data privacy and cybersecurity.
The survey, carried out by PCI Pal, found that 83% of consumers in the US will stop spending at a business for several months after a breach has taken place and that 21% of these consumers will never return to that business again. The results were nearly identical in Canada.
As a buyer, this is not a condition you want to fall into, which is why it’s vital for you to take every precaution to prevent breaches of any kind taking place, or at least addressing them before the M&A has been executed.
Understand the Risks. Prevent the Risks.
When it comes to cybersecurity or any kind of security for that matter, the way to address your issues come with awareness and knowledge. If you know what you’re dealing with, you know how to prevent it.
PWC writes that a buyer needs to address two main points of security. Security includes the history of cyber events and the controls in place as well as the assets that are risk within a connected environment.
This means look at the history of the company and how much they’ve invested in cybersecurity. Establish an understanding of whether they have dealt with security issues before and what they did about them, as well as understanding what assets the company has that are at risk during the transition and M&A process.
By highlighting what you’re dealing with, you can then make decisions that can help you protect these assets and minimize the risk of damage occurring. Of course, during the M&A process, there’s not a large amount of time to completely and perfectly assess the security condition of a business, and you may have access to an extremely limited part of the company.
This is, unfortunately, unavoidable, so you’ll need to make sure you make the best decisions you can with the information that you do have access too. Yes, this is imperfect information, but you’ll need to be as accurate as you possibly can. This is where the process of risk assessment comes in. If there’s not enough data and it’s too much of a risk, then it may not be worth going any further.
Working with the Organizations. Not Against Them.
Hand in hand with the consideration above, you need to make sure you’re working with the companies and businesses you’re buying to try and promote as much transparency as possible.
Sure, there’s a lot of sensitive data transferring hands, and some businesses may be reluctant to hand over data before knowing a sale is final. This is why it’s important to come to an agreement with how information can be accessed safely and securely, all so everybody involved is protected, and the risk factors are minimized as much as possible.
Terms will need to be arranged as to the information sharing processes and how this will be carried out in a safe and secure environment.
Summary:
Cybersecurity Risks That Come with Mergers & Acquisitions
Cybersecurity concerns increase in businesses of all sizes. There are no businesses out there that are immune from the fact that merger and acquisition processes can be dangerous in the eyes of cybersecurity. When the transfer of money, ownership, and data is on the line, you can bet your bottom dollar that people with malicious intent are going to be involved, and any potential leak is going to cause problems. Just as you would need to apply diligence to the core running operations of your business in areas such as production and health and safety, the same applies to your online merger process and cybersecurity practices. Hand in hand with this; whether you’re purchasing a business or you’re being sold, you should always contract the services of a third-party organization that can make sure everything security-wise is at an acceptable level. During the M&A process, one of the most common obstacles to arise is making sure that data from both businesses are kept safe and protected. At every stage of the process, there’s going to be a large amount of sensitive data being transferred between the two organizations, and if this transfer is anything but secure, it’s going to cause problems.
