Why Cyber Security Due Diligence Is Essential to M&A Success

By Anurag Kahol, CTO, Bitglass

Mergers and acquisitions (M&As) are a significant driver of business activity, with over $4 trillion of deals taking place in 2019, according to data from Dealogic. They can offer firms a range of significant opportunities, ranging from accelerating growth, competitive advantage – or increasingly – to acquire technology.

Despite the impact of current pandemic, M&A momentum appears relatively undiminished, with a recent survey suggesting that  86% of senior M&A decision-makers across a variety of sectors expect M&A activity to increase in their region in 2020 – with 50% expecting to do more deals if a downturn arrives.

Central to the process is due diligence, where the primary focus is on finance, legal, business operations, and human resources functions and data. However, as pointed out by Deloitte in its ‘2020 M&A Trends Report’, “. . . some regulatory issues are growing more prominent in M&A, such as data privacy. The bar continues to rise for the level of care that companies must take to protect personal and financial information.”

As Deloitte also points out, the risks presented by cybersecurity weaknesses are relevant to the M&A due diligence and process: “A target company may bring a cybersecurity weakness into the organisation, or a transaction that involves layoffs or other workforce changes may create data security risks.”

The 2016 acquisition of Starwood Hotels & Resorts by Marriott illustrates the potential impact of a cybersecurity due diligence failure. The deal, which created one of the world’s largest hotel groups went through with Marriott unaware that Starwood’s systems had been compromised back in 2014. When Marriott finally uncovered the undetected breach of Starwood’s guest reservations database in November 2018, it discovered that personal data of 500 million customers worldwide had been stolen.

The fallout was significant, with the UK Information Commissioner’s Office (ICO) handed Marriott International a GDPR penalty of £99 million, noting in its report that Marriott had “failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems”.

Conducting cyber diligence

Today, organisations of every size and scale are increasingly reliant on technology, with cloud-based tools, IoT, and digital connectivity services to conduct business, take payments, and enable their operations all playing a daily role.

Undertaking a detailed cybersecurity audit and evaluation, therefore, is critical for revealing any critical weaknesses that could derail a deal or cause significant issues later on. This is a key first step for understanding what data has been collected, how and where it is stored, and how long it is kept before being disposed of. It should also provide insights into any potential regulations, laws and obligations that will apply.

Conducting a review of all internal and external cybersecurity assessments and audits will also help to uncover potential weaknesses in an acquisition target’s cybersecurity systems and evidence of undisclosed data breaches.

Having established what data needs protecting and where it is stored, it’s important to understand who has access to the data, how it’s used, and what devices are being used for access.

Without this information, it will be difficult to maintain an appropriate security posture post-acquisition.

Moreover, a detailed evaluation of all IT systems and network endpoints in the target enterprise will enable the M&A team to more effectively operationalise the environment, post-M&A. In particular, it enables both entities to combine and integrate their IT systems and processes, including both IT organisations. In doing so, both parties can address risks such as insider threats, compliance, and any potential external infiltration risk points that could impact ongoing data management and protection strategies.

For example, if a user with administrative access makes requests for data on a database containing customer information, the acquiring firm must address that concern, including a review of all security-related policies within both organisations.

This helps inform the subsequent integration strategy and minimise the risk of introducing new vulnerabilities as platforms, solutions, and services are brought together. Effective cybersecurity integration should also be looking at security policies such as data encryption – across all applications, data lakes and beyond – real-time data loss prevention, user access controls and continuous monitoring to gain full visibility into both user activity and applications.

Holistic protection

Conducting detailed cybersecurity due diligence reviews during the M&A process will not only enable an organisation to fully understand the cyber risk potential of a target entity, it will also provide critical information about how the security strategies of the two organisations differ.

It’s inevitable that combining people, systems, and processes will  open up new security risks and vulnerabilities. But if organisations can successfully manage information security in the extended environment, they can not only meet their due diligence obligations, but also ensure that organisational integration is on a firmer footing from day one.