Since 2000, there have been over 790,000 merger and acquisition (M&A) transactions announced globally, consisting of a value over 57 trillion dollars. While these expansions and transitions create great business opportunity, they also present a unique risk with the potential for undetected exposed vulnerabilities that are exploited by threat actors as organizations come together.
In simple terms, as the new company expands, the threat landscape and attention to that company by hackers also increases, which means you need to be prepared!
Impact of cybersecurity reviews
To combat the risk associated with these volatile transformations, organizations are now conducting cybersecurity due diligence and threat intelligence early in the process of M&As. This greatly reduces the chances of threats becoming a reality after deals are made and the systems have merged.
The review process should never be overlooked, as that could have fatal consequences. In 2016, for example, Verizon was set to acquire Yahoo! in a deal worth 4.8 billion dollars. However, after completing the acquisition deal, Verizon discovered two large data breaches at Yahoo!. In response, Yahoo! gave a 350-million-dollar discount for the deal – and they had to pay 80 million dollars to settle lawsuits from its shareholders. This is just one example of how poor or no cybersecurity due diligence prior to an acquisition Day 1 are costly.
How can organizations create a playbook to ensure strong cybersecurity during mergers and acquisitions?
1. Assess the cybersecurity posture
Before the deal is announced publicly, organizations must assess the cybersecurity posture to ensure full transparency into each firm’s cyber processes and assets and then identify potential security gaps. Often early sight of the company to be acquired is not possible, as they are still separate entities, which is why companies are using threat intelligence to support this activity.
This threat-centric approach is key when done early in the M&A process to identify where those vulnerabilities and gaps are before moving to the next stage in the business transactions. A common approach to developing a cybersecurity baseline is to use NIST’s Cybersecurity Framework. This recognized industry framework is intended to provide a clearer understanding of managing and reducing security vulnerabilities, as well as provide best practices for protection of networks and data.
2. Align operating models and identify any critical risks
Once the deal is announced, also known as Day 1, the second stage of the merger begins, and organizations should identify and assess their current operating models. This alignment is key to ensure the new company is well prepared and fit for purpose. Synergies, redundancies, priority programs and critical risks are identified.
Post Day 1, security professionals will ensure they catch any security vulnerabilities or exposures and work to remediate. Following this, organizations should do a security maturity diagnostic to re-examine the effectiveness of operations. Then, threat detection and response diagnostic tests will review the technology that the company and security team use. This assurance focus is key post Day 1 in assessing and preparing the new company.
3. Assurance of the new company
The final step is to transition and integrate the new company into the acquiring firm’s operating model and key being the alignment and transition to their MDR/MSS solution. As well as this, the organization should make incident response plans and conduct table-top exercises with the new company’s executives and board of directors to test operational effectiveness and build collaboration and understanding.
Finally, organizations must not forget to check the acquisition target’s supply chain to create a final additional cybersecurity baseline of their high-risk vendors. Discovering these vulnerabilities and rating vendors on cyber capabilities and processes often requires the support of technology to offer visibility.
Maintaining security in the long run
With cybercrime at an all-time high during the pandemic, M&As continue to be high-risk endeavors that cost billions of dollars and affect corporate reputations. The long-term efforts to prevent and secure this process are worth the extra steps to mitigate future security issues.
When combining two companies’ security processes, many parts are left unsolidified, leaving undetected vulnerabilities exposed, which is why collaboration must begin before Day 1 to better prepare both companies. With early due diligence, the risks are lowered and security professionals have better visibility across both companies. Implementing this three-step method will help combat the risks associated with these sensitive moments and set the new company up for success moving forward.