Cybersecurity Considerations During M&A Phases

This tool, featured in the fifth edition of the NACD-ISA Director's Handbook on Cyber-Risk Oversight, reviews cybersecurity risks at key stages of a merger or acquisition transaction and provides suggested questions for board members to discuss with management at each stage.

Introduction

Cybersecurity remains a core business challenge for most corporate entities. Mergers and acquisitions (M&A) only increase that risk. An intentional process for understanding and mitigating cyber risk throughout the transaction lifecycle will significantly reduce that risk and enable a successful inorganic growth strategy.

The Multi-Faceted and Strategic Nature of M&A Risk

Cyber risk is pronounced during M&A because of several factors:

Increased Leverage for Cyber Threat Actors

Entities that study cyber threat actor behavior know that M&A transactions are favorite targets for hackers. M&A draw attention to companies from investors, regulators, and the public, making them vulnerable to publicly disclosed cyber-attacks, which create negative publicity. An FBI advisory warned that “The FBI assesses that ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.” The FBI found that ransomware actors would threaten to release nonpublic information to negatively affect the stock valuation.

Increased Opportunity for Hackers

Hackers will often infiltrate the acquired company’s network first, using the transition to expand their attack to the acquiring company to exploit and damage both. This occurred as early as 2013, when an attack on a major retailer captured millions of customers’ credit cards. In a hotel chain breach, the personal information of hundreds of millions of customers was stolen. Both of those incidents resulted in multi-year class action litigation and settlements of hundreds of millions of dollars.

Increased Attack Surface and Unexpected Security Issues That Require Additional Investment

The acquirer takes ownership of the acquired entity’s environment (and all cybersecurity weaknesses and vulnerabilities) at a time when there is business pressure to quickly connect and integrate systems.

Regulatory and Compliance Risk

Every developed nation now has regulatory standards for protecting personal information, with some regimes like the General Data Protection Regulation in Europe carrying potential monetary penalties of four percent of global annual revenue. In addition, security regulations are becoming increasingly common worldwide, especially in critical infrastructure sectors. Acquiring companies assume an increased compliance risk for companies that process personal information, are critical nodes in systems like payment processing, or provide services essential to the economy.

Successful Risk Mitigation Throughout the Transaction Lifecycle

Best practices in each phase of the transaction lifecycle can significantly mitigate all the risks described above.

Due Diligence Phase

• Considerations: Proper due diligence by an experienced team can uncover significant security and compliance gaps, provide a high-level estimate of investment required for compliance and security, provide insights into the sufficiency of cyber insurance coverage, and reduce the likelihood of major surprises in later stages. To accomplish this, the diligence team should have a deep understanding of cybersecurity best practices, regulatory requirements, and the nature of corporate transactions, and be able to respond to assistance requests on very short notice.
• Leading Practices: A robust methodology will include both traditional due diligence practices, such as documents and interview requests, and technical testing to obtain irrefutable data. This technical component is important because even the most forthcoming security teams of acquired companies may miss hidden or undiscovered risks across the enterprise. Another practice is to incorporate remediation costs into the overall transaction cost to avoid additional funding requests by IT and security teams after the transaction when these funds are more difficult to obtain.

Integration Phase

• Considerations: Integration is a period when both business-related synergies can be realized. Cybersecurity risks increase during integration due to increased access among the two companies, and the reality that any incidents will be managed by two teams that have never worked together.
• Leading Practices: Strong governance of integration-related activities (such as granting access to IT systems) needs to be in place, and the cybersecurity team needs a seat at the table throughout the process. Network connectivity should be carefully designed and monitored, and responses to incidents should be rehearsed, enhancing cooperation and reducing reaction and decision time. Acquiring companies need to have a clear vision for what a combined entity looks like, including necessary human resources, technology, policies, and budget. This will both reduce security risk and optimize costs. The combined security organization should be able to manage any new security and compliance risks created by the acquisition.

Divestitures

• Considerations: Divestitures create their own set of cybersecurity risks. Critical information like intellectual property needs to be protected. The cybersecurity team must create two new teams and manage the disruption that naturally follows. The “Remainco” team will likely need to provide cybersecurity services to “Spinco,” which will need to be defined contractually in a transition services agreement (TSA) and successfully managed. “Remainco” will need to stand up a security team for a new organization and plan to exit TSA services as soon as practical.
• Leading Practices: Managing all the aspects of a divestiture is a significant burden, and the security team will need to staff the effort appropriately. The security team needs to be tightly integrated with the other divestiture workstreams to inform team leaders about security requirements and keep up with significant transaction milestones. Creating a high-level but clear vision of the Remainco and Spinco security teams will help minimize rework during the transaction and set both new organizations up for success.

Sell-Side Readiness

• Considerations: Managing cybersecurity properly during the sell-side process is a way to prevent unexpected value erosion. Acquiring companies will naturally want to understand what risks and costs they are assuming, so preparation of an honest but persuasive narrative will reassure acquiring companies that cybersecurity is not a factor in the decision to move forward.
• Leading Practices: Cybersecurity teams can make inexpensive investments in their program to increase security and address buyer concerns. Examples include remediating vulnerabilities in software, updating insurance coverage, and rehearsing to respond to a cyber incident. Teams can also prepare a thoughtful narrative on their program’s strengths and weaknesses. Most acquiring companies expect some incidents will have occurred but will expect to see lessons learned and what action was taken to strengthen the cybersecurity program. Acquiring companies more easily accept gaps in security best practices if the seller is aware of them and develops a realistic plan to address them.

Questions the Board Can Ask Management About M&A Cybersecurity Considerations

• How will this transaction change our overall cyber and privacy risk, and what is our plan to mitigate that risk?
• How are we preparing to protect ourselves against the increased risk of threat actor interest if we move forward with this transaction?
• What is our approach to understanding cyber risk and protecting ourselves before we sign?
• Have we incorporated the costs of additional cybersecurity controls or remediation into the transaction cost structure?
• How are we planning to monitor the cybersecurity programs of our acquisitions to ensure they are mitigating cyber risk?
• How are we planning to effectively respond to intrusion incidents in our acquisitions?
• (For integrations) How will we capture synergies as we build a combined cybersecurity team?
• (For divestitures) How will we mitigate dyssynergies as we split our cybersecurity team?

Return: Toolkit For Action