M&A Cybersecurity: Best Practices and Critical Considerations

Many firms are currently planning mergers and acquisitions as executives seek growth following the pandemic slowdown and as new approaches to business development. However, due to a lack of M&A cybersecurity hygiene during the last year, these M&A transactions increased the probability of cybersecurity incidents.

In most M&A transactions, cybersecurity takes a back seat to price and synergy expectations. However, a new IBM study shows that one-third of CEOs have encountered data breaches due to M&A activity. However, more than half of firms do not handle cybersecurity until after doing due diligence, providing hackers an opportunity to strike.

Why is M&A Cybersecurity Important?

While the purchasing business and its target have cybersecurity infrastructure, the two will most likely need to be linked to complete the merger. When two networks connect, the firm’s system security holes are quickly created. If these gaps go unchecked, they might lead to vulnerabilities that hackers can exploit.

The FBI, for example, has warned that hackers specifically target organizations experiencing time-sensitive financial events, such as mergers. The hackers threaten to release commercially sensitive information if the companies do not pay the ransom. Because the revelation of this data may alter the value of the particular value, which is critical throughout a merger, its victims frequently pay the ransom.

GDPR

The General Data Protection Regulation (“GDPR”) is the flagship data protection and privacy regulation of the European Union. It oversees how personal data, defined as information that has the potential to identify a person, is handled by individuals with the authority to process it. Consequently, GDPR fines are not solely the result of a violation. They can result from a variety of administrative failures. So GDPR becomes one of the key factors in M&A Cybersecurity.

Regulatory fines

As can be seen, proper cybersecurity policies are essential throughout a merger. Fines levied by government entities for failing to comply with their standards are another harmful effect of poor cybersecurity and compliance measures. It is crucial to remember that the following list of penalties and fines is not exhaustive. Further non-compliance is the only thing required for these sanctions to be assessed against a corporation; no network breach is required.

COPPA

The Children’s Online Privacy Protection Act (“COPPA”) is a data privacy regulation in the United States aimed at protecting children under the age of 13 on the internet. The law applies to general-audience websites with real knowledge that they are gathering data from youngsters under the age of 13, as well as commercial websites, mobile apps, and internet-enabled gadgets such as smart toys aimed at kids under the age of 13.

M&A Cybersecurity: Critical Considerations

The variety of cyber risks grows as our lives become more connected and organizations transfer more of their resources, systems, and activities online. The threat posed by cybersecurity breaches has been designated as “Tier 1” by the UK Government. It is easy to see why in the setting of a commercial enterprise: Cybercrime is predicted to damage the UK economy for billions and billions per year, and the average cost of a data breach of security to a large firm is significant.

A large M&A cybersecurity breach can considerably impact a company’s equity (in high-profile examples, Hyatt, Equifax, and TalkTalk witnessed reductions of 6.9%, 31%, and 14.55% in the month following the attack, respectively).

Cyber events can result in losses involving economic damage (including company interruption), inside costs, external costs (like legal or public relations advice), regulatory fines, civil action damages, and long-term market reputation damage.

An event may also harm the integrity of an organization’s data or intellectual property. In addition to the headline-grabbing attacks, there are tens of millions of lower-level attacks that are arguably more concerning to organizations from a risk assessment standpoint because they require minimal or no technical knowledge to carry out: malevolent “off-the-shelf” software could be downloaded for free from the internet by nearly anyone and then utilized to initiate an attack, and wreak havoc on a business’s IT infrastructure.

Any such risk is of great interest to a potential firm purchaser. Thus, taking steps to mitigate these risks, such as doing comprehensive cybersecurity due diligence before acquiring the business, is critical in the context of M&A.

M&A Cybersecurity: Best Practises

“M&A can be a breeding place for cyberattacks and data breaches,” said Rohan Singla, Senior Manager of Grant Thornton Risk Advisory Services. “Strict due diligence, focusing on cybersecurity, will help prevent regrets later in the acquisition lifecycle.” To meet increased regulatory scrutiny and other emerging cybersecurity threats, today’s M&A strategy must integrate cybersecurity at many strategic and tactical points.

Assemble a due diligence team

Companies should then form a due diligence team only with goals in mind. During the merger, this team will implement the finest cybersecurity standards. On the list should be:

• In-house legal advice
• Consultants and outside counsel
• Chief security, accountability, and information officers, as well as lower-level personnel of those departments

These individuals should come both from the purchasing and target companies. We have served as external counsel in several acquisitions and mergers by ensuring that both companies comply with all applicable rules. The staff you put together must be skilled and aware of what you must do to comply.

To ensure the effectiveness of the cybersecurity due diligence team, avoid the following frequent pitfalls:

Improper communication

By involving individuals of the business entity on the due diligence crew, one should gain assistance in understanding their firm’s cybersecurity infrastructure. Should any clarifications or documents be required, both teams ought to have instant access to officials of the target company.

Inadequate Information

The target organization should offer a list of previous cybersecurity issues. If they don’t want to or claim the data is protected, it’s critical to get an answer and consider walking away from the sale if it’s not suitable.

Create a cybersecurity playbook

The risks associated with data privacy and cybersecurity continuously rise throughout the various stages of an M&A transaction’s lifespan. Companies require a playbook for mergers and acquisitions cybersecurity to effectively identify and manage these risks in an ongoing and repeatable way.

According to Derek Han, Principal and Leader of the Cybersecurity and Privacy Practice at Grant Thornton, “A repeatable cybersecurity playbook needs to be devised and followed when getting into a contract.”

At every stage of the lifespan of a contract, a particular area of focus should be placed on cyber security and data protection. When it comes to the lifecycle of a deal, senior executives typically have much work to do. According to Han, having a playbook before the process begins can help alleviate tension.

Build a cybersecurity roadmap

Because technology affects every part of the company today, a cybersecurity roadmap is a crucial component of M&A due diligence. Your comprehensive cybersecurity roadmap outlines both firms’ security objectives and how they plan to achieve them.

Failure to adopt a properly executed cybersecurity roadmap can produce friction during M&A transactions, resulting in exploitable vulnerabilities. Security measures in one firm may conflict with the other company’s efforts; standards in one organization may also be ill-defined. A SWOT analysis should reveal failings in cybersecurity roadmap documents.

Your roadmap ensures that proper safeguards are tested and improved regularly. Begin by documenting all assets, including how they are safeguarded, IT systems, and datasets. Then there are document access controls, recovery plans, and so on.

Conclusion

Change management must be included in the M&A cybersecurity policy framework implementation to guarantee that enterprise customers are on board and those operations can continue as usual.

Your project management and change enablement personnel should be fully involved throughout the M&A transaction. Make sure to plan for your team’s skill sets, bench power, and industry expertise ahead of time. Assess and prepare any extra internal and external cybersecurity resources required during the transactions.

Cybersecurity teams have a unique chance to decrease risks and offer value to the business during the critical merger period. To establish a successful cybersecurity integration, they must use meticulous planning, exact execution, and close collaboration with business and IT leaders.