Offer
Discover best-in-class collaboration tools that drive your agile workplace.
Discover best-in-class collaboration tools that drive your agile workplace.
Learn more about what you can accomplish with our solutions.
Broaden your offering through electronic signature integration.
Explore helpful resources around secure collaboration and more.
Discover who we are and why our solutions are used by more than one million users.
Abonnez-vous pour connaรฎtre les derniรจres nouveautรฉs dโOodrive
The acquisition of a company can provide a real boost to the development of another. As a result, the number of M&A continues to grow, with a record 62,193[1] in 2021 (45,000 in 2020). This impressive figure is sure to capture the attention of hackers against the backdrop of 2020 with a fourfold increase in cyber attacks as reported by the French Network and Information Security Agency (ANSSI)[2].
Despite increasing awareness among decision-makers, the cybersecurity component in the โdue diligenceโ process does not always come into play at the right time and is still limited exclusively to financial, marketing and HR aspects. This is compounded by the fact that this essential phase may be incomplete, exposing both companies. Whatโs more, the complexity of cybersecurity issues adds to the level of risk (internal threats, external risks, regulatory risks).
Accordingly, there is justification for asking the following questions: what are the cybersecurity risks and whatโs their impact during M&A? How to conduct an effective security and compliance audit and on what basis ?
Generally speaking, the notion of cybersecurity must exert greater influence on due diligence. This need is demonstrated in a 2021 study where only โ25% of financial and corporate players consider IT system due diligence as pivotal. This figure then drops to 18% and 13% respectively for cybersecurity due diligenceโ[3].
This recommendation is all the more crucial if the targeted company handles vast amounts of data or has a competitive advantage through a standout technology component. Computer security breaches may expose sensitive data or devalue intellectual property by having illegally provided it to other companies.
The other issue concerns the question of when to focus on cybersecurity. Indeed, we must shift focus in the initial transaction stages, and not only in the integration phase, as is still too often the case.
Again, it is worth remembering a key point. A due diligence process for cybersecurity cannot be conducted without the involvement of the IT department and the Information Systems Security Manager (ISSM).
An audit must then be carried out to collect and analyse the following information: security practices; latest security incidents; mapping of deployed tools and IT infrastructure; existing risks; employee cybersecurity training; IT security team organisation chart, etc. Unsurprisingly, this phase requires the targeted company to instill a culture of high transparency.
The audit in question must be completed by specific and measurable actions to identify weaknesses or dangers. Examples of this include the collection of databases on network infrastructures, intrusion tests, network flow analysis, and expert site research to identify company targeting or future targeting from hacker groups. Automated tools can be used to complete such jobs.
Choosing to ignore cybersecurity can have far-reaching implications. One of the potential impacts is a tarnished company image, as illustrated through Marriottโs takeover of Starwood hotels in which the data of 500 million customers was illegally exposed[4]. Other risks involve production shutdowns, data leaks incurring penalties (European Union General Data Protection Regulation โ GDPR), lower revenue, reduced profits, and damage inflicted on brandreputation.
These circumstances can lead to regulatory fines and legal proceedings. For the record, the IBM-partnered Ponemon Institute found that personal and confidential data theft averages a cost of USD $7.91 million[5].
In general, any security breach not only decreases the valuation of a company, but it also reduces its appeal. How can you not reconsider M&A for a company if itโs exposed to major risks that could spread to the other company?
As we can see, and contrary to much popular belief, the M&A process isa risky business from a cybersecuritystandpoint. Successful due diligence depends on increased vigilance and strict methodology. Companies that seek to be acquired have a vested interest in investing in an IT system capable of resisting cyber attacks. They should also prepare collaborators to avoid the most common pitfalls through effective training on โcyber healthโ. Conversely, companies targeting a potential takeover must give greater consideration to cybersecurity in their assessment of other companies.
Discover how Oodrive can support you through an M&A scenario
[2] https://www.bpifrance.fr/nos-actualites/les-cyberattaques-ont-ete-multipliees-par-4-en-2020
[4] https://www.ciodive.com/news/marriotts-cybersecurity-nightmare-a-lesson-in-ma-risks/543387/
[5] https://fr.weforum.org/agenda/2018/07/le-cout-des-failles-de-securite/
Products
Oodrive sign free trial
Solutions by industry
Solutions by department
Abonnez-vous pour recevoir toutes les actualitรฉs autour du numรฉrique de confiance