The acquisition of a company can provide a real boost to the development of another. As a result, the number of M&A continues to grow, with a record 62,193 in 2021 (45,000 in 2020). This impressive figure is sure to capture the attention of hackers against the backdrop of 2020 with a fourfold increase in cyber attacks as reported by the French Network and Information Security Agency (ANSSI).
Despite increasing awareness among decision-makers, the cybersecurity component in the “due diligence” process does not always come into play at the right time and is still limited exclusively to financial, marketing and HR aspects. This is compounded by the fact that this essential phase may be incomplete, exposing both companies. What’s more, the complexity of cybersecurity issues adds to the level of risk (internal threats, external risks, regulatory risks).
Accordingly, there is justification for asking the following questions: what are the cybersecurity risks and what’s their impact during M&A? How to conduct an effective security and compliance audit and on what basis ?
Explaining due diligence that is often incomplete, incidental or overlooked
Generally speaking, the notion of cybersecurity must exert greater influence on due diligence. This need is demonstrated in a 2021 study where only “25% of financial and corporate players consider IT system due diligence as pivotal. This figure then drops to 18% and 13% respectively for cybersecurity due diligence”.
This recommendation is all the more crucial if the targeted company handles vast amounts of data or has a competitive advantage through a standout technology component. Computer security breaches may expose sensitive data or devalue intellectual property by having illegally provided it to other companies.
The other issue concerns the question of when to focus on cybersecurity. Indeed, we must shift focus in the initial transaction stages, and not only in the integration phase, as is still too often the case.
Combining due diligence and cybersecurity: the essentials
Again, it is worth remembering a key point. A due diligence process for cybersecurity cannot be conducted without the involvement of the IT department and the Information Systems Security Manager (ISSM).
An audit must then be carried out to collect and analyse the following information: security practices; latest security incidents; mapping of deployed tools and IT infrastructure; existing risks; employee cybersecurity training; IT security team organisation chart, etc. Unsurprisingly, this phase requires the targeted company to instill a culture of high transparency.
The audit in question must be completed by specific and measurable actions to identify weaknesses or dangers. Examples of this include the collection of databases on network infrastructures, intrusion tests, network flow analysis, and expert site research to identify company targeting or future targeting from hacker groups. Automated tools can be used to complete such jobs.
Outlining the critical risks
Choosing to ignore cybersecurity can have far-reaching implications. One of the potential impacts is a tarnished company image, as illustrated through Marriott’s takeover of Starwood hotels in which the data of 500 million customers was illegally exposed. Other risks involve production shutdowns, data leaks incurring penalties (European Union General Data Protection Regulation – GDPR), lower revenue, reduced profits, and damage inflicted on brandreputation.
These circumstances can lead to regulatory fines and legal proceedings. For the record, the IBM-partnered Ponemon Institute found that personal and confidential data theft averages a cost of USD $7.91 million.
In general, any security breach not only decreases the valuation of a company, but it also reduces its appeal. How can you not reconsider M&A for a company if it’s exposed to major risks that could spread to the other company?
As we can see, and contrary to much popular belief, the M&A process isa risky business from a cybersecuritystandpoint. Successful due diligence depends on increased vigilance and strict methodology. Companies that seek to be acquired have a vested interest in investing in an IT system capable of resisting cyber attacks. They should also prepare collaborators to avoid the most common pitfalls through effective training on “cyber health”. Conversely, companies targeting a potential takeover must give greater consideration to cybersecurity in their assessment of other companies.