Ben Harknett, VP EMEA, RiskIQ
Over $4 trillion worth of M&A deals were made worldwide in 2015 according to Dealogic, making it the highest year for deal values since 2007. Due diligence plays a huge part in making these deals happen, but with digital channels (web, mobile and social) experiencing a boom in business use, the current due diligence process needs to expand in scope to adequately factor in cybersecurity risk. Failure to do so could lead to unforeseen consequences in both the M&A process and the integration that follows.
All down to digital?
A secure and resilient digital presence is a key requirement for high performing organisations across a range of industries. Digital channels have overtaken the traditional “human interaction” channels in many organisations to become a critical dependency. When evaluating a target company from an M&A standpoint, the failure to adequately evaluate the cyber security risks inherent in the digital channels of both parties can present a potential threat to both operations and brand reputation.
However, all too often digital channels have not been factored in to the due diligence process as these IT engagements have instead focused only on identifying material assets in the valuation process, such as business processing and reporting systems and the hardware and networks that supported them.
As business and consumers have both moved outside the perimeter and onto the open internet, it’s now vital that assets residing outside the firewall are accounted for and reviewed in order to get a full understanding of a company’s digital attack surface.
Going beyond standard due diligence
There are a number of common reasons why organisations are not getting the full picture of cyber risks as part of due diligence:
- The first is sheer scale of the digital presence of the company being acquired. It is not uncommon for a large organisation to have thousands or tens of thousands of active websites and other publically exposed assets. While IT and Security teams in the “to-be-acquired” company will have an asset register of websites, it’s almost always a partial view of what really exists. The more decentralised an organisation’s IT activities are the bigger the delta which can exist.
- Time is another contributing factor. In most cases there is an urgency to complete the acquisition before the value materially changes. Cyber security audits can take a long time as auditors try to build up an accurate picture based on incomplete and out of data information.
- Acquiring organisations have been slow to move their own security programs “outside the firewall”, instead focusing on the more traditional security disciplines. In this case the cyber security posture of their own organisation is not accurately known, let alone the cyber security posture of the target company.
While these can be valid reasons they must be weighed up against possible consequences. A successful cyber attack could have a material impact on the value of a company in the short to mid-term. In addition to reputational damage, new EU data protection laws have introduced the provision for fines or 2-5% of global revenues for loss of customer data, which again can materially impact the value of an organisation with less than adequate security defences. From a nation state perspective an undetected “back door” planted in the target company’s network could result in intellectual property theft once the two networks are connected.
In the case of acquisitions involving part of an organisation, for instance a line of business, it is essential to identify and document the assets being transferred, which also include digital properties such as brand assets, domains and social accounts. Without a thorough understanding of what currently exists, critical digital assets may be missed resulting in ownership and security issues later on.
The M&A aftermath
With no signs of the headline hitting data breaches stopping anytime soon, organisations in M&A deals need to make sure they are more cyber savvy about evaluating all of the potential cyber risks if they want to get the best deal possible. However, a good understanding of cyber risks is not only needed for the due diligence process, it should also be a key requirement in successfully managing the risks once the transaction is complete. As responsibility for the security of acquired digital assets transfers to the acquiring company, then work begins to bring those assets under management as part of the corporate security programme without risking a costly compromise.