Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .


With deals set to surge in 2024, don’t forget to manage M&A cyber risk

iStock 1769068563 - Global Banking | Finance

With deals set to surge in 2024, don’t forget to manage M&A cyber risk

Picture401 1 - Global Banking | FinanceBy Lawrence Perret-Hall, COO at CYFOR Secure

It’s been a tough year for mergers and acquisition (M&A) deals, but the gloom may be lifting. Industry watchers and business leaders predict activity will bounce back in 2024, with 94 percent of European financial services CEOs expecting to pursue strategic transactions in the coming 12 months. They know dealmaking is fraught with risk for both buyers and sellers. But one factor that is often underestimated is the potential impact of cyber risk on M&A outcomes.

Given the financial and reputational stakes involved, relying on self-disclosure to inform cyber risk is not enough. That’s why business leaders need to carry out comprehensive cybersecurity risk assessments to make better informed decisions. Anything less might lead to a heavy dose of buyer’s remorse.

Due diligence is a must

Although global dealmaking is some way from the highs of 2021, there are reasons for cautious optimism in the year ahead. Gartner claims that well capitalised enterprises may swoop for smaller tech-focused startups struggling to raise VC funding in a new wave of “techquisitions”. Moreover, Bird & Bird argues that both buyers and sellers are “prepared to deal” in order to scale their business and/or enter new markets.

Those boards responsible for making such decisions are well versed in the typical legal, financial, and operational risks that M&A deals can throw up. They also understand the importance of due diligence in uncovering these risks early on in order to make better informed M&A decisions, but cyber risk is still too often overlooked despite the serious impact it can have.

Acquiring companies need to look more carefully at target businesses: serious deficiencies in their security posture or unidentified breaches could have a major impact on deal price, or whether a deal can even be done. Even if a transaction has already gone through, risks should be identified as quickly as possible so remedial steps can be taken to minimise any long-term erosion of deal value.

What might be wrong?

Many organisations sport a blend of legacy on-premises systems and modern, distributed cloud architectures and, combined with a fast-evolving threat landscape, this can lead to cyber risks that even a target company may be unaware of. From cloud-native software development, to AI, Internet of Things, data analytics, and even home working laptops, countless modern investments expand the potential attack surface. And risks extend beyond an organisation’s network: many have opaque supply chains which are often left unmanaged. One 2022 study claims two-fifths of global organisations feel their cyber attack surface is “spiralling out of control”.

Threat actors are primed and ready to take advantage. Tapping a cybercrime economy worth trillions annually, they target organisations at their weakest points. That could be the individual employee, susceptible to phishing links while working on an unprotected laptop at home, or it could be a remote desktop protocol (RDP) endpoint misconfigured to allow a brute force password cracking attack. They are spoilt for choice.

The cybercrime underground provides a readymade marketplace for vulnerability exploits, stolen credentials, and even easy-to-use “as-a-service” offerings which lower the bar to entry for non-technical threat actors. With relatively little skill, a budding cybercriminal can gain or purchase access into a corporate network and move laterally unseen until they find sensitive data to steal and/or encrypt for ransom. That’s why 59 percent of mid-sized UK firms and 69 percent of large businesses experienced a breach in 2022. And it’s why 2023 is already a record year for publicly reported US data breaches.

Some cautionary tales

Cyber due diligence is essential to root out serious problems. It could be widespread vulnerabilities or misconfigurations that need fixing, or dangerously low levels of staff security training and awareness. It could be the presence of malware or even threat actors inside the network. Or it may be an undiscovered and/or undisclosed data breach. Any of these issues and a range of others may expose the acquiring company to serious financial, reputational, and regulatory risk.

Nor are these merely theoretical risks. Consider the infamous Verizon acquisition of Yahoo, when the discovery of historic data breaches at the internet pioneer led Verizon to negotiate down its purchase price by $350m, or around 7% of deal size. Marriott International was not so fortunate when it acquired Starwood Hotels in 2016: its due diligence failed to spot a 2014 mega-breach at the firm which, when finally revealed in 2018, led to major regulatory fines, negative publicity, and class action lawsuits for Marriott.

How to mitigate M&A risk

So how should acquiring firms proceed with their cyber due diligence process? How deep they want to peer into a target organisation will depend on risk appetite. But at a bare minimum, things like vulnerability assessments and penetration testing can provide useful insight into the cyber-resilience of an organisation’s internal and external networks, devices, and assets.

More broad-based risk assessments may help to uncover a target company’s approach to breach management, disaster recovery, business continuity, and compliance with industry regulations and standards like GDPR or ISO 27001. Dark web monitoring allows organisations to see if corporate data or credentials from a target company have been breached and put up for sale.

With this context, an acquiring company will be able to make better informed decisions. It may mandate that a target company remediates any serious issues before transaction, it may want to reprice the deal, or even walk away altogether. Even after a transaction has been completed, due diligence can provide critical insight to reduce risk exposure and support compliance programmes as quickly as possible. A virtual CISO service can be invaluable here in helping the acquiring company to develop relevant policies and awareness.

Cyber risk is an increasingly important business risk. Organisations that understand this will be best placed to make a success of their M&A deals. But boards that continue to dismiss IT security as a mere cost centre may have some nasty surprises in store next time they go shopping for a new acquisition.

Global Banking & Finance Review


Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!

By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post