The Security Risks of M&a: What Are the Biggest Pitfalls?

By Erwän Keräudy, CEO, CybelAngel

Mergers and Acquisitions (M&As) in the financial services sector continue to increase, despite the new economic challenges from inflation and global political conflicts. In 2021, there was an 89% increase in M&A deals across the banking sector, with an average deal value of $693 million.

M&As in general are a complex and resource-heavy process. It’s not just incorporating the operations of two businesses, but also its financials, assets, human resources, and compliance frameworks. Evaluating and integrating all of these aspects can be significantly challenging, especially when they are to be digitally integrated.

It’s important to understand that different financial organisations operate in different IT ecosystems. The solutions, tools, and network environments they use often greatly differ based on their size, markets, product or service offerings, and budgets. Without an effective assessment of such distinctive IT infrastructures, an M&A could potentially expose both companies to increased security risks.

So, what are these risks, and how are companies falling short in terms of cyber due diligence during an M&A?

The potential cyber risks in an M&A

Complexity and lack of visibility are the most likely causes of security risks in an M&A project. Integrating different IT systems without well-defined policies and strategies can lead to increased challenges in network security management. For instance, which employees have access to what resources across different systems? How will cross-platform communication work? And how will resources be shared simultaneously across the different systems of the merged organisations?

Isolated or poorly integrated network systems and databases can also create vulnerabilities, opening the door for threat actors, resulting in sophisticated cyber-attacks and security breaches.

In addition, there is a significant risk of inheriting a data breach during the M&A process. Although cybersecurity evaluation has become a key part of modern M&A projects, they are often limited to internal network elements. For instance, financial organisations might evaluate the internal security controls and policies of a firm, but they often fail to realise that vulnerabilities can exist outside of a firm’s secured network perimeter.

Even with the best security policies and tools in place, it’s likely that organisations might already have weak spots in their attack surface, potentially resulting in stolen credentials, or leaked data. Data leaks and attack surface exposures don’t necessarily happen maliciously. Nearly 88% of all data breaches are caused by an employee’s mistake.

So, without evaluating the external risks, organisations might be stepping into a data breach that has already happened ready to be taken advantage of by a threat actor. In fact, the best way to assess a company’s level of risk exposure across an external attack surface is the same way threat actors approach infiltrating these access ports — from the outside-in.

The critical importance of cyber due diligence

According to Gartner, nearly 60% of acquiring companies are not currently using cybersecurity exposure assessments. This is concerning because organisations will be sharing valuable data and assets ahead of, and during an acquisition. If the acquired company has exposed data and an unsecured attack surface, it will inevitably increase the acquiring firm’s risk exposure.

For an M&A deal to be successful, organisations require an extensive and real-time view of the target company’s security posture. It’s not enough to have an overview of what tools and technologies are in place, firms need to know the overall level of risks associated with the company being acquired.

It’s important that acquiring companies use advanced due diligence frameworks. They should incorporate assessment tools that don’t just provide a rating based on security policies and procedures, but also a landscape view of current risk exposures, as well as recommendations for remediation. It’s also critically important to assess how well the target company’s security posture holds up compared to other firms within the financial sector.

How can organisations improve their security posture post-deal?

Once the M&A deal is ratified, organisations must ensure that integrating networks and resources doesn’t lead to any security risks or vulnerabilities. The first step should be to eliminate complexities within the IT ecosystem and drive secured digital interactions. Proactive security practices such as Privileged Access Management and Zero Trust should be implemented to ensure that employees can seamlessly access only the resources they require.

It’s also critical that the security team constantly performs audits to gain full visibility of what systems are connecting and communicating between both networks post-acquisition. Most importantly, organisations should implement External Attack Surface Management (EASM) solutions that provide continuous monitoring, since systems are especially vulnerable during periods of IT integrations and handovers.

EASM solutions allow companies to discover and fix vulnerabilities before they are exploited by threat actors. They can constantly scan and monitor the entire internet, including connected cloud storage and repositories to find any exposed data, devices, domains, shadow IT, credentials, or any other assets, then provide prioritized alerts and recommended remediation actions.

Although security risks are inevitable and unavoidable in an extended network environment, these practices can potentially help companies mitigate the risks, and experience the projected benefits of the M&A without becoming susceptible to sophisticated cyber-attacks.