Cybersecurity breaches, Privacy & Compliance risk, reputational damage - and the inevitable remediation that will need to be done to address the fall out - will give pause not only to your customers, but also to potential business partners and investors. A strong cybersecurity posture, one ingrained into your company's culture, can reduce risk while acting as an asset which outside investors are increasingly considering as part of M&A evaluations.
Recent cybersecurity issues in high-profile mergers and acquisitions have highlighted the dangers of a poor security posture, but too few organizations have heeded these warnings. Many have simply deprioritized cybersecurity as they pursue business growth, an approach which can compromise an organization's security, the deal or both. In a 2017 West Monroe survey, 52 percent of senior executives reported discovering a security problem AFTER the deal closed. The survey found that security was the number two reason deals were abandoned and it was also the second most common reason buyers regretted closing a deal.
Risks abound for both acquiring organizations as well as those looking to sell - inadequate security has repeatedly proven to be a key concern during the M&A evaluation process. According to the West Monroe survey, the top reasons deal fail are security concerns (23 percent), financial and tax issues (23 percent), and problems with compliance (18 percent). Another recent study by Forescout reports that 53 percent of M&A deals encountered a cyber security issue or incident during diligence that put the deal at risk.
Below are some cybersecurity tips we recommend you include in your M&A checklist. If you’re buying, make sure you focus on evaluation, inspection, implementation and insurance for your target company. If you’re on the selling side of a deal, think about what you would look at as an investor and be ready to provide supporting data, going through this process with your company as its target, to ensure your organization’s security is sound.
Evaluate: Evaluate the security posture and any security incidents of potential target companies. Ask for reports from past audits, assessments and penetration tests. Research publicly reported breaches to ensure you understand what happened and how the company remediated them. Has the company had more than one incident? What cause them? How much did they cost? Did they impact the company’s revenue, sales, reputation?
Inspect: Once you are in negotiations, ask for more detail. Conduct your own audit. Examine physical security, technical security, training, policies and procedures. Do they have an adequate disaster recovery and business continuity plan? In most companies, technology is critical to ongoing operations and the ability to create revenue. In ransomware attacks, those with an effective disaster recovery plan are best able to recover with minimal impact. Also, consider data privacy regulations such as GDPR and CCPA. Will the new, combined entity come under new regulations because it exceeds certain thresholds in terms of amount of revenue, number of records or number of employees? GDPR, for example, applies only to companies with more than 250 employees.
Have, and implement, a solid integration plan: Prepare a detailed integration plan before closing the deal. In the West Monroe survey, only 47 percent put IT among their top three priorities in a functional integration plan. Yet failure to successfully integrate the two cybersecurity operations can leave big holes, creating high levels of risk. The plan should include processes, procedures and people, detailing how they will work together. How will you merge cultures? Is the tech interoperable? If there are redundancies, which one is considered the best and how will the changes be managed? Most importantly, follow through after the merger. It’s surprising how many companies never get around to thoroughly implementing their integration plans.
Insure: Look carefully at existing cyberinsurance policies. What provisions do they include in case of an acquisition or merger? In some cases, the policy may be nullified. Make sure you understand how policies should be updated to ensure you cover your risks adequately.
In short, executives at each company must, at some point, decided what level of risk they are willing take. Make sure you understand that level of risk and, if it doesn’t match yours, know what will be needed – and what it will cost – before consummating the deal.
For more on how BTB Security can help you improve your organization’s security posture, whether you’re involved in an M&A situation or not, visit us at www.btbsecurity.com.