While Mergers and Acquisitions already involve completing many types of reviews before, during, and after the Due Diligence (DD) phase to measure and ascertain the level of risk that impacts the decision-making process, Cyber security is often missing from the process. The evolving cyber threat and breaches make this consideration not only important but vital to the entire process. In this article, we review why conducting a cyber security review is important across the M&A and how important it is to keep a close eye on Cyber Risks in each of every stage; before, during, and after the M&A transition process.
Businesses are increasingly focusing on cybersecurity in mergers and acquisitions. But what would happen if they didn’t? the target organisation may discover many issues and dormant threats that require large remediation work to bring it to the acquiring organisation’s level. In other instances, the target business may already have Advanced and Persistent Threat (APT) actors already inside their network.
M&A security assessment includes:
Once all issues and vulnerabilities are known, we create a roadmap to remediate them, we provide a rough order of magnitude (ROM) of cost including any missing products and technology.
This includes:
Good cybersecurity benefits both sides of the M&A process. A robust framework and maturity can make a target firm more attractive, and cybersecurity best practices on both ends make for a smoother, more secure transition period.
Different stages of M&A carry different risks; in order to approach the various risk of the process correctly and accurately and provide both acquiring and acquired firms with a good realistic approach to the risk, we approach M&A by assessing the posture of the acquiring organisation and compare it with that of the target organisation or business. Our team has successfully assisted in a number of successful and failed M&A in various stages of the process. We have developed a methodology that provides both parties with visibility on the cyber security issues facing the M&A Process. We approach the process differently depending on the stage of the M&A;
Before the NBIO
When the acquiring firm starts shopping around for target business(s), they need to know that the target business does not have any large breaches or issues. Before entering into a discussion, the acquiring firm should know roughly any obvious gaping holes that may exist. This is particularly important for regulated industries, but it is essential across all industries and M&A
With that in mind, our team conducts a fully passive and non-intrusive search on the target organisation in the surface, deep and dark web.
Some of the objectives our team searches for are (but not limited to)
To achieve the above our team has developed a methodology that we can complete quite swiftly to achieve the above objectives without raising any attention or alert to the search conducted. This is usually quick and short work that we can conclude within one to two days of search and give a good indication of the outside posture. While this is not comprehensive, it usually provides a good indication.
At the end of the day, if your house's front door is broken and wide open, most likely there are already people inside your house lurking around.
The outcome of our review assists acquiring business in:
Note that some risk is acceptable, depending on how impactful those risks are on the business. The acquiring firm must determine its risk tolerance and identify whether acquiring the target firm falls within those acceptable limits.
The acquirer should perform a detailed risk assessment to understand the risk of acquiring the target company. The assessment will provide information on the potential impact of risks and vulnerabilities and how they might be mitigated.
During the Due Diligence Process
Once the acquirer business presents a non-binding and indicative offer (NBIO), both parties want to complete the merger or acquisition quickly, proper security assessments at this stage are a vital part of cybersecurity due diligence.
To effect the necessary security controls promptly and ensure the safety of the acquiring organisation, firms typically lean on our cybersecurity teams in M&A transactions to help. Discovering an undisclosed data breach during these security assessments is a major issue as it calls the integrity of the business into question and exposes the potential acquirer to reputational damage and unforeseen security problems. In addition to the previous assessment that was completed during the previous stage, our team usually
This information, alongside budgetary estimation, is essential details that will assist the acquiring business to understand not only the issue but priorities and the cost to remediate. Sometimes we found that these budgetary numbers are included in the negotiation between both companies.
While most of the assessment is done, however before the Sales contract is signed, our team usually provides our vCISO resource to assist in program-manage the roadmap and address the critical issues that must be addressed
After the closure of the deal, our team will keep our vCISO resource to assist in delivering and executing the roadmap created in the DD process.
As the two organisations started aligning their security posture post-acquisition phase, it’s essential to continue monitoring the progress of the program. During the acquisition process, monitoring of security progress should be around-the-clock. Our vCISO will ensure that the target firm’s cybersecurity meets the buying firm’s requirements.
Businesses nowadays realise that getting Cyber security assessment correct and ready is an essential step during all phases in the DD process and will ensure that the M&A process progressed smoothly.
If you are going through a growth phase and considering a Merger or Acquisition? Get in touch with our team
