The risks in mergers and acquisitions CISOs need to know

When a large company announces the acquisition of another organization, it’s often perceived as just being a financial transaction. However, the merger and acquisition (M&A) process is far more complex and can help uncover various aspects of both businesses involved. Amid the rush to finalize a deal, one critical area that’s historically been overlooked but is essential to any M&A deal is cybersecurity.

This is particularly important since the organizations being acquired are typically smaller, and may lack the cybersecurity resources necessary to ensure their protection. A survey by Cynet previously indicated that small cybersecurity teams face a greater risk of being attacked than larger enterprises. 

“I think the M&A process is relatively well understood and financial modelling and financial due diligence is obviously done very well,” Deloitte Australia risk advisory partner Ian Blatchford tells CSO. “I think not enough attention is paid to cyber due diligence. There’s usually a very cursory glance at cyber risk, in terms of the way their systems are operating and secondly, what risk are we taking on board … but usually it’s a checklist and very low down the M&A activity checklist.”

However, KPMG Australia cyber lead partner Gergana Winzer believes there has been a measured shift over the last couple of years in how much attention companies are paying to cybersecurity during an M&A transaction. She believes high-profile breaches have helped raise awareness about the importance of cybersecurity. 

Gartner reported that by 2025, 60% of organizations will use cybersecurity risk as a primary determinant when engaging in M&A activity. 

“As a consequence even organizations that we consider being part of the mid-market segment – so not organizations that have huge budgets for cyber – even those types of organizations are starting to realize that they need to have controls in place, they need to have good cybersecurity posture from a technical perspective, but also good cybersecurity maturity for them to be competitive in the market and even survive,” Winzer tells CSO. 

A failure to consider cybersecurity when it comes to engaging in an M&A deal, as Winzer put it, is like driving blind without any mirrors. “You can be very easily attacked and become prey to cyber attackers, and if that were to happen what’s at stake is business operations, being able to run the company as profitably as possible, but also to suffer disruption and suffer a financial loss,” she explains. “There can also be very specific impacts on occupational health and safety. As an example, depending on the type of organization and industry, if it’s the healthcare industry, there may actually be an impact on patients and people who need vital support.”

What areas CISOs should look into during the M&A process? 

There are a few cybersecurity risks that M&As bring to haunt CISOs. Experts from major consulting firms have shared some of the main ones CISOs should be aware of and make sure their CEOs and boards are on top of before the process begins. These include ensuring that technology and governance are up to date, checking all third-party agreements and services to ensure they meet necessary cybersecurity requirements, being aware of opportunism by cyber criminals, and watch out for dormant attackers.

Technology and governance might not be up to scratch

An obvious risk, according to CyberCX financial services lead Shameela Gonzalez, is when two companies are trying to merge two different technology stacks. “It’s really important to understand what risks could be created as a result of merging and consolidating those, and how do you still make sure that the coverage you once had as a standalone entity maintains itself once you’ve now incorporated a whole new technology stack,” she says, pointing out that one company is likely to have a better cyber posture than the other. 

A prominent example of this was back in late 2018 when the Marriott hotel chain announced one of its reservations systems had been compromised, two years after it had purchased Starwood. Following investigations, it was revealed that when Starwood was acquired, Marriott continued to use the IT infrastructure that it inherited, which unknowingly had been breached by hackers and infected with malware. As a result, an estimated 339 million guest records, including credit card and passport details, were compromised. 

Gonzalez also points out that merging and acquiring companies might be at further cyber risk from a governance standpoint. “How do you maintain, outside of tech, the governance and the controls? So much of cyber-risk management is not just tech. Again, mature organizations and highly regulated organizations have lived and breathed this for some time, but some of those enterprises that have not had the same regulatory scrutiny may make the mistake of thinking that ‘as long as I’ve bought a couple of cyber tools, therefore I’m protected’,” she says.

“But actually, in the midst of an M&A, your governance is probably going to be more critical than ever because it is the strength of your risk-management process, it’s the strength of your people capability and your process capability on identifying those grey areas you might not immediately pick up on.” 

Go through third-party agreements

But it’s not just the cyber posture of the two companies involved in an M&A deal that needs to be considered, but also third-party providers. According to Blatchford, some of the common questions that need to be asked when conducting cyber due diligence before completing an acquisition deal include who all the third-party suppliers are and what’s the residual risk in the supply chain.  

A recent report by SecurityScorecard revealed that the exploitation of trusted third parties continues to be a prevalent security concern. The research indicated that 98% of organizations are affiliated with a third party that has experienced a breach. Furthermore, third-party attacks have led to 29% of breaches.

“You can make the general assumption that large organizations have resourcing and investment in cybersecurity, so it’s not as easy for cyber attackers in this day and age to go after them,” Gonzalez says. “But vulnerable third parties are a great avenue for cyber attackers to adjacently make their way into larger organizations and cause that same level of disruption.”

Be ware of opportunistic cyber crime

Additionally, Gonzalez points out that when a company goes public about their intention to acquire or merge with another, it signals to cyber attackers as a potential opportunity to attack. She believes if organizations are aware of this, there’s an opportunity to take a proactive approach to cybersecurity, rather than carry out cyber due diligence as a prerequisite to an acquisition being finalised. 

“If an attacker were to see the news publicly announced, what would they assume about us? One easy assumption most attackers would make is that your eyes are off the tools, you are distracted, your investment is going to be focused on everything else except cybersecurity,” she says. “Once you have that in your mind, you can really prepare yourself and arm yourself to prevent against that kind of mentality and really put the right barriers up that would circumvent a cyber attacker from being opportunistic around it.”

Watch out for the dormant attacker

M&A activities are also a perfect incubator for serious cyberattacks, Gonzalez warns, pointing out how one previous case she had worked on saw a cyber attacker “literally penetrated [the company being acquired] the day before”.

“So many threat actors are sitting in organizations just dormant, and secretly hiding within your network. They’re learning about your business and your operations, and they’ve amassed a significant amount of knowledge about you …. the last thing we want is a dormant threat actor sitting in one of these entities waiting for the merger to happen and then you’ve just expanded their attack surface,” she says.

But of course, it’s nearly impossible these days for any organization to keep attackers at bay all the time. Blatchford’s advice for companies is to figure out what level of cyber risk they’re willing to take on. Part of that decision, he says, will involve considering what the cost of remediation is likely to be if an attack were to occur, and what contractual obligations the acquiring company will be exposed to post-acquisition.

“Cyber risk is a risk like anything else that needs to be paid attention to, but cyber risk does come with some pretty significant consequences if got wrong,” Blatchford says. “So, if I acquire something and there’s a big data leak out there, who takes responsibility for any penalties and enforcement that may come down the line? More often than not, when a cyber breach is detected, it may have happened months ago.” 

On the flip side, for the company being acquired, Blatchford remarks how important it is to improve their cyber posture, warning that failure to do this can jeopardise a company’s sale value. One of the most prominent examples of this was when Verizon slashed Yahoo’s deal price by a massive $350 million during the evaluation phase due to Yahoo’s security breaches.

“[Cyber risk] is definitely a negotiation tool. Ultimately, if you’re the acquirer, you’re taking on some kind of risk and for that risk, there needs to be a premium or cost associated with that. And if you have to do an uplift, you’re going to have to spend money and that may have not been factored in on the purchase price,” Blatchford says.