When it comes to cybersecurity risk, mergers and acquisitions simultaneously present challenges and opportunities. Organizations typically seek to acquire a target in order to augment their capabilities, expand their market reach or reduce competition. But if the acquirer doesn’t assess the financial, operational, or reputational risks involved carefully enough, stakeholders may ultimately discover that the business benefits carry lingering cybersecurity headaches that require remediation, possibly cutting into the ROI on the transaction.
Or, if news of a recent breach breaks before the deal is finalized, liability exposure can lead to a significant reduction in the target’s valuation. This famously took place during Verizon’s acquisition of Yahoo in 2017. After Yahoo disclosed that it had been the victim of two massive data breaches – during which more than one billion of its customers’ accounts had been compromised – Verizon changed the terms of sale, paying $350 million less than originally planned.
Identifying and accounting for technology- and security-related risks during the fast-paced negotiation phase can be challenging. Timelines are often accelerated, access to cyber information may be limited and due diligence usually doesn’t include a thorough cyber risk assessment. But accurately surfacing risks is critical for maximizing the value of your investment, as well as ensuring that integration goes smoothly.
In M&A, risk assessment is essential, but it’s also important to conduct that risk assessment efficiently and to do so with the aim of identifying the vulnerabilities that pose the greatest and most immediate risk. This way you start with the areas that need immediate attention and save lower-priority items for after the integration. This strategy will help you meet expectations and achieve faster ROI.
We recommend that all organizations follow a cybersecurity framework to ensure that they’ve covered the fundamentals needed to maintain a strong cybersecurity posture. The period surrounding a merger or divestiture isn’t any different. Because the M&A lifecycle is typically a busy time, with many action items to complete, it’s especially important to have a clear security and risk management roadmap to follow.
Still, you won’t be able to evaluate everything at once. Take the framework of your choice (such as the NIST CSF, ISO 27002, or the top CIS controls) and edit it down to the elements that are most relevant to the transaction at hand. What matters most will depend upon your business objectives, your industry and the specific operational risks that you and the target organization face. You should look at these risks through the same lens that you’d apply to your own business, and then break up the control set questionnaire into must-haves and nice-to-have items.
The list of must-haves should include all the deficiencies that need to be remediated before you connect your networks or introduce operational and reputational risks that come with the merger. A few examples that warrant immediate attention include:
It’s likely that your assessment will also yield a longer list of to-dos that need to be completed, but not right away.
Security loves consistency. By taking the same approach across the entirety of your newly merged business, you’ll enjoy the benefits of consistency and standardization; including predictability and repeatable processes. These include efficiency and reduced risk.
M&As are usually a time of far-reaching change. This transition provides both entities with the opportunity to assess the people, processes, and technologies they have in place, with the goal of optimizing resource usage while driving down costs and reducing risk. To achieve this, define the go-forward model for security. Leverage existing programs that are mature and effective. and migrate outlying processes onto the new corporate standards.
Establishing standard governance across the entire organization requires asking questions like:
A word of warning: although assessment is important, so too is forward momentum. Don’t stay in a state of limbo or uncertainty for too long. Instead, come up with a design that seems like it will work, implement it, and refine it over time as you learn more about its strengths and weaknesses in the real world. M&A integrations can be difficult. You need to be risk-driven and aligned but also decisive so that you can emerge from the process stronger than you were when you started. Done well, the M&A process has the potential to advance the cybersecurity maturity of both organizations involved.
Want to learn more about how Netrix Global can help you understand the risks associated with M&As? Contact us to learn more about our vCISO Services, or schedule a free consultation to learn more about cybersecurity strategy for M&As today.
Eric Xu is a consultant in the Modern Applications & Data Intelligence practice at Netrix Global. His expertise in cloud solutions allows him to translate technical concepts into actionable strategies to optimize productivity and collaboration. Passionate about empowering people through technology, Eric excels at prioritizing clients’ needs, then delivering tailored solutions that drive business success. Prior to Netrix, Eric earned his master’s degree in information technology from Rensselaer Polytechnic Institute.”
2024 Netrix, LLC | All Rights Reserved.
