Posted 12 Dez. 2019

Mergers & Acquisitions: Cyber Security Risks

Laurent Halimi blog profile image

By Laurent Halimi

Today, business growth is based in part on external growth, through the merger and acquisition of businesses, which allows the company to diversify its product portfolio and / or gain new market share. The average cost of a flaw amounting to $ 3.86 million (Ponemon, 2018), members of the board of directors and executive committee should not take cyber security lightly.


Over the past three years, we have observed a trend in the way in which cyber risks are taken into account during the merger and acquisition of companies. Indeed, following the piracy of Yahoo in 2016, which affected Verizon's buyer and which would have cost him 4.8 million dollars :

  • The RSSI have been sensitized and trained to manage the risks inherent in these procurements
  • Cyber security audits have become commonplace
  • Clauses generally stipulate that the company will be devalued if there is a default within a year.

However, the lack of communication between the IT department and the rest of the company is a persistent problem. A Ponemon Institute study found that 63% of IT department managers do not have the ability to regularly exchange and feed information to board members, and 40% do not.


Merger and Acquisition, what are the threats ?

In M & A, the issue of cybersecurity is raised when it comes to integrating the two enterprise networks. It is necessary to have a good understanding of the flows and for this, it is necessary to have a good visibility on the said network flows.
There are several critical cyber security challenges to overcome and manage during an M & A :

  • A larger attack surface – the potential attack vectors that an attacker could exploit increase and leave the networks of exposed and vulnerable acquirers and target companies open.
  • Inherited or imported threats-the introduction of a new organization into its network can impose a significant threat without visibility on the hidden attackers.
  • Internal threats – during mergers, potential internal threats increase for a variety of reasons, concerns and uncertainties related to employment or lack of knowledge of the uses of the new business.
  • Third-party threats-business and technical consultants who are commonly employed during m & as May, knowingly or unknowingly, become pawns in the process of a cyber attack.
  • A heavy burden on IT teams – throughout the duration of M & as, the IT and security teams of the acquiring and target companies are generally very dispersed.

It is important to remove these risks, so as not to suffer a deterioration of the brand image, a devaluation of the company as well as significant burdens related to the loss of data.


Leaders, what can you do at your level ?

Cybersecurity is not about silos, it is a cross-cutting discipline that all collaborators and senior managers need to be aware of. Especially during an acquisition, the attack surface is suddenly enlarged. The time and expense needed to educate and train new employees must be weighed against the potential cost of failure if no action is taken. The costs of risk prevention are minimal compared to financial risks (devaluation on the stock exchange), risks to the reputation of the company, computer costs, etc. be sure of it.

As a first step, schedule a meeting with your company's RSSI. It can help you understand the risks to the company's IT systems.
Following this, several steps can be taken (including but not limited to:) :

  • An audit-analysis of the absorbed company's cyberhygiene (the anglo-saxon due diligence concept, or due diligence audit))

  • Network flow analysis.
  • Rapid training of new collaborators on new cyber security protocols.
  • Implementation of internal threat detection tools.

The concept of integration and training of new collaborators is just as important as the cyber security solutions put in place.

In the case of mergers and acquisitions, the management of cyber-risks should not be limited to a paragraph of the contract announcing the devaluation of the absorbed company, if attack there is.there are ways to guard against these attacks can generate serious consequences, an action plan can be put in place if the decision-makers and the IT Department of the company work together, in addition to the essential due diligence computer, allowing to verify the cyber-hygiene of the acquired company. Even if there is no zero risk, managers, the development of a plan is necessary to minimize the risks incurred. To avoid a dramatic drop in the value of your assets on the stock market, be careful.


On the side of the enterprise

Since cybercriminals generally pursue monetary objectives, the announcement of the merger can lure cybercriminals more than usual. Indeed, by infiltrating the network of the absorbed company, they will eventually be able to perform an intrusion on the network of the new entity and have access to data of greater value.

The acquiring companies are well aware of this. Therefore, by implementing good practices in terms of cyber hygiene, you secure the purchase and the value of the company.