In any given year, thousands of deals occur worldwide in various industries. While each case is unique, one thing remains constant: cybersecurity in M&A’s growing importance in reducing risks related to the transaction.
Traditionally, due diligence processes in mergers and acquisitions focused on scrutinizing long-established areas such as legal, finance, operations, business contracts, etc., with cyber risks not fully prioritized. However, with the increase in cybercrime and many prominent attacks on companies undergoing M&A processes, cybersecurity due diligence has become an urgent topic among C-level executives and company boards.
Integrating these assessments early in the M&A process can greatly influence negotiations, reduce unforeseen risks, and support better decision-making. This proactive approach is essential for protecting investments, ensuring they adhere to regulatory compliance practices, and securing sensitive data against breaches and cyber attacks.
What is cybersecurity due diligence in M&A and divestitures?
Cybersecurity due diligence in mergers and acquisitions (M&A) and divestitures involves evaluating and assessing the cybersecurity posture and risks associated with a target company or business unit.
This process is crucial for identifying potential vulnerabilities, threats, liabilities and cyber risks that may be inherited as part of a merger. It serves as input to understand the cost of remediation and can influence the valuation or even change the course of the deal. Such assessments are crucial to provide additional insights into negotiations and reduce risks that could emerge down the line once the transaction is complete. We can distinguish three main areas in which cybersecurity due diligence assessments are performed:
- Cybersecurity due diligence of procedures and policies such as risk management, incident response plan, IT asset management, application security posture management, identity threat detection and response, etc.
- Technical cybersecurity due diligence, including penetration testing, breach assessment, source code review, etc.
- Cybersecurity awareness and culture in the organization
When is cybersecurity due diligence performed during the M&A process?
The due diligence process can be implemented at various stages of an M&A deal. According to a 2019 study by Forescout, 38% of respondents (senior manager-level IT and business decision-makers) declared that they started a cybersecurity assessment already at the strategy creation step, the earliest pre-deal phase of the M&A process. 33% did so during the target screening, 22% during the diligence and evaluation stage, and only 6% reported performing a security assessment during the integration phase.
When is cyber due diligence performed in the mergers and acquisition lifecycle
These results show that executives and decision-makers have begun seeing the benefits of early cybersecurity review. The same study indicates that an undisclosed security issue on the sell side can be a deal-breaker for 73% of business leaders in M&A deals.
How is technical cybersecurity due diligence for M&A performed?
Many buy-side companies hire an external contractor to execute a technical cybersecurity assessment of their target. This guarantees that the sell-side’s security controls are challenged from an independent perspective, and its cybersecurity risks and data privacy threats can truly be revealed. The security assessment also allows the buyers to integrate the security review results into their risk analysis and even the valuation of the M&A.
A comprehensive technical cybersecurity assessment involves several key actions designed to uncover potential risks and vulnerabilities. These actions ensure that the acquiring company fully understands the target organization’s cybersecurity landscape and risk exposure. The primary components of this assessment include breach assessment, attack surface mapping and discovery, penetration testing, and source code security review.
Key assessments performed during technical cybersecurity due diligence
Breach assessment
A breach assessment aims to identify any indicators of compromise or ongoing security incidents within the target company’s network. This involves examining logs, network traffic, and alerts from security operation centers and their tools, such as EDRs and SIEMs, for any anomalies or known breach patterns to detect signs of unauthorized access, data exfiltration, or other malicious activities.
Discovering a breach before finalizing the transaction allows the acquiring company to address the issue proactively, potentially renegotiate terms, or even reconsider the deal if the risks are too significant.
Attack surface mapping & discovery
Attack surface mapping and discovery in the context of M&A due diligence usually involves identifying all potential entry points for cyber attacks within the target company’s external-facing IT environment, from SaaS-based cloud solutions and on-premise hosted systems to shadow IT.
By understanding the full scope of the attack surface that is exposed externally, the acquiring company can better evaluate the target’s vulnerability to cyber threats. This knowledge is essential for developing a robust post-acquisition cybersecurity strategy.
Penetration testing
Penetration testing is a simulated cyber attack on the target company’s systems to identify vulnerabilities that malicious actors could exploit. This technical assessment evaluates the effectiveness of existing security measures and provides insights into the target company’s ability to detect and respond to real-world threats.
Penetration testing in the context of M&As is very dependent on the target acquisition and its core business, but in our experience, it typically includes a focused product security assessment (especially if a SaaS company), pentesting of external and internal networks, application security testing of business-critical applications, and cloud security assessments.
Source code security review
For technology companies and other businesses heavily reliant on proprietary software, a security-oriented source code review is an essential component of a cybersecurity due diligence. This review involves analyzing the target company’s source code to uncover hidden vulnerabilities, backdoors, and other security weaknesses that could be exploited. By ensuring that the software is reasonably secure and less prone to critical flaws, the acquiring company can mitigate the risk of future attacks and protect its intellectual property.
Performing these key actions as part of the cybersecurity due diligence process enables organizations to make informed decisions, minimize risks, and ensure a smoother transition post-transaction. By prioritizing technical cybersecurity assessments, companies can better protect their investments and position themselves for long-term success in their M&A activities.
Benefits of performing technical cybersecurity due diligence in M&A deals
Performing technical cybersecurity due diligence in M&A deals is crucial for ensuring a secure and successful transaction for both buyers and sellers.
Benefits for the buy-side
For buyers, technical cybersecurity due diligence offers significant advantages. First and foremost, it helps mitigate risks by identifying potential cybersecurity threats and vulnerabilities within the target company. By uncovering these issues early, buyers can prevent financial and reputational damage arising from undiscovered breaches post-acquisition. A well-known example was the acquisition of Piriform’s CCleaner by Avast in 2017, where hackers had breached CCleaner’s networks for months prior to the acquisition, and by the time Avast acquired it, they launched a supply-chain attack by infecting several users of CCleaner via a malicious update, ultimately lying on Avast the potential liabilities arising from this episode and highlighting that in M&A’s you also acquire cyber risks the target firm may have.
This blog post by Auth0/Okta discusses other well-publicized M&A deals that imploded over cybersecurity concerns.
Integrating cybersecurity assessments in M&A due diligence allows for more informed decision-making. Buyers can assess the target company’s overall cyber resilience and maturity and adjust the purchase price accordingly, ensuring they are not overpaying for a company with significant cyber risk. It also aids in developing a comprehensive integration plan that includes cybersecurity considerations, ensuring a smooth transition and compatibility between the buyer’s and target’s information security standards, frameworks and procedures.
Regulatory compliance is another critical benefit. By verifying that the target company complies with relevant cybersecurity laws and regulations, buyers can avoid future penalties and legal issues related to non-compliance, protecting their investment and reputation.
Benefits for the sell-side
Sellers also stand to gain from performing technical cybersecurity due diligence. Demonstrating strong cybersecurity measures can increase the company’s valuation, as potential buyers are likely to see the company as a lower-risk investment. This can also minimize price reductions during negotiations due to cybersecurity concerns.
Moreover, showcasing robust cybersecurity practices enhances the company’s marketability, making it more attractive to potential buyers and giving it a competitive edge in the market. Sellers can also reduce future liabilities related to cybersecurity incidents post-sale, facilitating a smoother transition and integration process for the buyer.
Maintaining a positive reputation is essential for sellers, and by ensuring that cybersecurity issues do not arise post-acquisition, they can build trust with potential buyers through transparency and diligence in cybersecurity.
Cyber risks in the M&A process
Purchasing a company with a compromised database or active cyber threats can lead to substantial liabilities. Due to undisclosed breaches, companies have faced class-action lawsuits, regulatory fines, and damaged reputations. Additionally, Material Adverse Change/Effect (MAC or MAE) clauses can be triggered, potentially allowing purchasers to exit transactions without further obligation, as nearly happened with the Yahoo/Verizon deal.
The often-quoted example illustrating the risks of failing cybersecurity due diligence is the Marriott case. In 2018, two years after hotel giant Marriott acquired Starwood Hotels, 339 million guest records were stolen from the latter’s database. Even though the hack had occurred in the Starwood database before the transaction, Marriott became liable for the breach.
In its fallout, Marriott received multiple class-action lawsuits from guests whose data had been compromised (most citing failure to perform due diligence on the sell-side’s cybersecurity), it was fined $23.8 million by the United Kingdom’s Information Commissioner’s Office, and its CEO was forced to testify in front of a US Senate committee. The hack was later revealed to be a likely Chinese government’s information-gathering operation.
In recent years, hackers have specifically targeted companies in the midst of M&A activities, aiming to exploit confidential information and extort ransoms. In 2021, several companies were attacked during the private negotiation stage, with attackers using Trojan malware to scan for keywords indicating M&A intentions, such as “10-Q1,” “Nasdaq,” “Marketwired,” and “Newswire.”
In late 2021, two months after being acquired by a private equity firm, a midsize manufacturer paid $1.2 million to a ransomware group with suspected links to REvil. This incident, reported by Wall Street Journal, highlights a growing trend where ransomware groups target midmarket acquisition targets, posing risks for private equity and venture capital firms. Midsize companies, often with less robust cybersecurity, attract attackers seeking substantial payouts without the geopolitical risks of larger targets.
Let’s now take a look at specific security risks that organizations involved in mergers, acquisitions or divestitures face.
Targeting by cyber criminals
Cybercriminals may specifically target companies undergoing mergers, acquisitions, or divestitures for several reasons:
Heightened activity and distraction
The M&A process involves a high volume of sensitive communications, financial transactions, and data sharing, creating numerous opportunities for cyberattacks. Key personnel may be focused on the transaction details, potentially overlooking cybersecurity threats and vulnerabilities.
Valuable data
M&A activities involve highly sensitive information that can be extremely valuable to cybercriminals, including strategic plans, financial data, and intellectual property. The critical nature of M&A transactions makes companies more likely to pay ransoms to avoid disruptions and data leaks.
Vulnerabilities in transition
Integrating different IT systems and networks can create new vulnerabilities and security gaps. During the transition period, companies may rely on outdated or less secure legacy systems, which are more susceptible to attacks.
Increased attack surface
The involvement of multiple entities, such as advisors, legal teams, and third-party vendors, expands the attack surface, providing more entry points for cybercriminals. This makes it easier for attackers to find and exploit vulnerabilities.
Common types of cybersecurity threats in M&A
The increased attention from cybercriminals can lead to several common threats for organizations involved in these processes, including:
Data breaches
Unauthorized access and confidential information exposure are among the most serious threats to companies undergoing the M&A process. Attackers may gain access to confidential information stored in databases and systems, leading to data leaks and breaches. Sensitive data, including financial records, intellectual property, and personal information of employees and customers, can be exposed if proper cybersecurity measures are not in place. This involves not only the security of the target firms but also the security of the digital data rooms where M&As happen.
Ransomware attacks
Cybercriminals may deploy ransomware to encrypt vital data, demanding a ransom for its release. This can halt operations and cause significant financial losses. Additionally, attackers may threaten to release sensitive data publicly if the ransom is not paid, further pressuring the targeted company.
Supply chain attacks
Cybercriminals exploit vulnerabilities in third-party vendors or partners involved in the M&A process, leading to broader network compromises. Attackers may target less secure partners to gain entry into the primary company’s systems.
Phishing and social engineering
Employees involved in the M&A process can be targeted with sophisticated phishing emails designed to steal credentials or deploy malware such as info stealers. Cybercriminals may also impersonate executives or other key personnel to trick employees into divulging sensitive information or performing unauthorized actions.
Insider threats
During M&A processes, employees with access to sensitive information might intentionally or unintentionally leak information. This could be due to dissatisfaction with the merger, financial incentives, or lack of awareness about cybersecurity practices.
Lessons learned from cyber disasters in M&A
- Cybersecurity due diligence needs to be performed early – the integration stage is often too late
- Target company’s cybersecurity practices, certifications, and processes, especially those related to handling personal data, need to be thoroughly assessed
- The sell-side’s cybersecurity culture matters – employees’ and the board’s understanding of data security protocols is a good indicator of the company’s security risks
How to choose cybersecurity services to assist with M&A
Choosing one of the many companies in the cybersecurity sector to assist with mergers and acquisitions (M&A) requires careful consideration of various factors to ensure you engage a service provider capable of conducting thorough due diligence and addressing specific cybersecurity needs. Here’s a step-by-step guide to help you choose the right cybersecurity services for M&A:
Define your needs and objectives
Clearly define the scope of the cybersecurity due diligence. This includes understanding the specific areas you need to assess, such as IT infrastructure, compliance, incident history, and data protection.
Identify your primary objectives, whether it’s risk assessment, compliance verification, integration planning, or all of these.
Research potential providers
- Experience and expertise: Look for cybersecurity firms with a proven track record in conducting cybersecurity due diligence for M&A. Check their experience in your specific industry.
- Verify that the provider’s team holds relevant cybersecurity industry certifications, such as CREST, CISSP, OSCP, SANS, etc.
- Ensure they adhere to industry standards and best practices, such as ISO/IEC 27001, NIST, or GDPR.
- Cybersecurity companies should offer tailored solutions that match your specific needs and the nature of the transaction.
- The provider should offer detailed and understandable reports that outline findings, risks, and recommendations.
- Check if the provider offers support for post-acquisition integration, including implementing cybersecurity improvements, ongoing monitoring, and incident response.
- Evaluate cost and value. Understand their pricing model and ensure it aligns with your budget. Be clear about what services are included and any potential additional costs. Evaluate the value they bring in terms of expertise, thoroughness, and the ability to identify and mitigate risks effectively.
How Blaze can bring cybersecurity into your next M&A transaction
Working with Blaze in your next M&A project will allow your organization to negotiate more confidently. Getting a cybersecurity assessment of the target company in the due diligence stage helps your team make better-informed decisions during the merger or divestment.
We are independent experts with a strong track record in performing technical assessments to support M&A. We can provide impartial and unbiased advice for cybersecurity due diligence processes and beyond. We have proven experience working closely alongside clients to help them better understand cyber risks in their transactions and ensure they are all adequately documented in the data room for more accurate decisions.
Below are the solutions we offer, depending on the type of transaction and which side your organization is on.
If you’re on the buy side:
- Penetration testing to uncover cyber risks in the target company’s central systems
- We help your organization gain visibility into the target company’s attack surface discovery and perform vulnerability assessments, including an overview of third-party risks
- Security-oriented source code review to discover flaws and deliberate backdoors in the leading platforms and software of the target
- Continued cybersecurity evaluations during subsequent integration phases
If you’re selling or divesting:
- Breach assessment to uncover any existing but unknown intrusions that may jeopardize the transaction or become a liability in the future
- Execution of technical measures to ensure secure data transfers, such as customer data and IP, between the businesses
- Identification of cybersecurity vulnerabilities and risks that may stem from the separation process as part of the divestiture
- Technical evaluations to ensure that the remaining company doesn’t inadvertently keep data it shouldn’t or that it wasn’t left with exposures and vulnerabilities as part of the separation
Final remarks
Business developers and M&A consultants must understand the role of cybersecurity in M&A and divestments and take the necessary steps to mitigate any risks that may compromise such transactions. A thorough independent cybersecurity assessment, either during the pre- or post-transaction stage, ensures a smooth M&A process and protects against unforeseen financial and reputational losses.