John Madelin, CEO at RelianceACSN
If we are to learn anything about security during the acquisition process, we need only look at the Verizon and Yahoo! Following reaching a deal in July to sell Yahoo!’s core web business, it broke that at least 500 million account details had been stolen in 2014. After Yahoo! announced the user-info breach, Verizon said that it had only been informed of the scope of the breach two days prior – and now the telco wants to shave $1 billion off its original offer. The fallout from this in the coming months will showcase the importance of security due diligence during acquisition activity.
Mergers and acquisitions are a nervous process for businesses for a range of reasons. Buyers look carefully at their target companies and put them through rounds of due diligence and appraisals, a process that can last anything from a couple of months to a year. During this period everything from building structures, financials, intellectual property and other tangible or intangible assets are all inspected.
However, something which traditionally has been forgotten about is cyber security and the complexities surrounding it. With more and more businesses depending on technology, inter-connectivity and networks – combined with the surging rate of cybercrime – cyber risk needs to be far higher on the M&A checklist than it currently is. In the UK alone cybercrime is accounting for 36 percent of all crime reported, according to the National Crime Agency’s figures this year, and this continues to rise.
Evaluating an organisation’s cyber preparedness is tricky at the best of times, but without the necessary due diligence during a merger or acquisition an unforeseen data breach could be devastating. The fallout from cyberattacks is costly, not only in monetary terms but also reputation of the business and its board members.
Crucial to the M&A process is a deep understanding of the risks inherent in the business that is being acquired, which is why due diligence processes need to begin as early as possible to map and understand areas of risk for both companies. Fundamentally, the current management teams are responsible for their own risk, but that will change with the acquisition.
Additionally, it isn’t just the risk taken on from the target company that needs to be considered. Connecting an existing network to a newly acquired, but flawed, one can introduce issues into a company that was once comprehensively protected. It’s crucial that the potential impact an acquisition of a new network is fully understood. This includes the liability for loss of value or reputation damage, that connecting to a weak network could have on the existing business.
A company’s digital resilience is an increasingly important but intangible asset. TalkTalk was hit with a record-high fine of £400,000 this month for its hack that affected 150,000 customers. This is proof that while digital resilience is intangible lack of it can be costly for businesses. It’s clear that during M&A due diligence the amount of money a business has invested on threat protection cannot be a gauge on how secure it is. Organisations can spend millions on software, but if the software isn’t fit for purpose the bad guys will still get in. Instead auditors should be focused on where the organisation’s critical information is, who has access to it and how quickly they can recover it if a breach was to occur. This is what quantifies risk and it is this resilience that needs to be takeninto account during the due diligence process and when pricing a target company.
The final piece of the puzzle is people. An unavoidable part of any M&A activity is the large movement of people into the organisation. This movement creates a huge amount of risk which requires a great deal of thought. An overhaul of access privileges needs to be conducted for the new employees to ensure that the organisation’s critical assets remain secure. New equipment and devices that are introduced to the network can also expose vulnerabilities, with poorly managed or no security defences.
The newly merged IT team has the added challenge of ensuring that security roles and responsibilities across both organisations are clearly understood to make sure that protection levels are maintained and external threats are minimised. Logging and alarming, for example, will need to be carried out as the new entity rather than two old entities to ensure that all bases are covered.
With M&A activities there’s always the prospect of having to manage employees that have to leave the organisation. Disgruntled former employees can pose huge security risks and need to be handled sensitivity to ensure that critical data doesn’t end up in the wrong hands. The M&A process often causes uncertainty and fear among staff, which in turn can lead to an unsettle workforce community. It is important that malicious behaviour from inside is taken very seriously, as this type of security risk is often the most serious damage.
It’s clear that with M&A activity, cybersecurity needs to be considered closely. Yahoo! is likely to become the poster child for what happens when security goes wrong during the acquisition period. And with the possibility that almost 25 percent of the original price will be knocked off by Verizon, it’s a costly lesson to learn.