Explore the overlooked cybersecurity risks in mergers and acquisitions (M&A). We highlight the critical role of cybersecurity during due diligence, detailing inherited vulnerabilities, inconsistent security postures, compromised assets, and data privacy minefields that can jeopardize deals.
In brief:
- Inherited vulnerabilities from legacy systems and shadow information technology (IT) can result in cybersecurity risks for mergers and acquisitions.
- Inconsistent security postures between companies create dangerous gaps — like mixing multifactor authentication with basic password protection.
- Hidden breaches may have already compromised assets, meaning you could be buying a “cyber grenade” that will explode after the deal.
- Data privacy compliance mismatches can expose you to regulatory penalties when standards like the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) don’t align.
- Insider threats spike during transitions because anxious employees may steal data as job security leverage.
Cybersecurity for mergers and acquisitions (M&A) is as critical as a financial review. TEST
Due diligence is the backbone of any successful M&A deal. You check financial records, comb through inventory, and even break down supply chains. Meanwhile, auditors are scouring for weak points. Each weakness they find can pose a threat. In many cases, a threat can significantly affect the deal-closing process, its dollar amount, or even whether the deal can close at all.
But even the most detailed due diligence process may overlook a critical factor: the company’s cybersecurity.
Thanks to data privacy and cybersecurity issues in mergers and acquisitions, a deal may appear favorable from afar but prove to be far from ideal. One weak link can expose one or both companies to enormous risks — even after the ink has dried.
Let’s dive into the importance of cybersecurity in mergers and acquisitions, the risks most deals miss, and how to mitigate risk before an acquisition and after a merger.
5 Cybersecurity Risks That Most M&A Deals Miss
Performing cybersecurity due diligence for mergers and acquisitions starts with identifying the most common risks. Here are the risks that should top your shortlist:
1. Inherited Vulnerabilities
Inherited vulnerabilities refer to those that were already in place in the other company’s infrastructure. These may include:
- Legacy Systems With Vulnerabilities: For instance, an outdated system may no longer be supported by the manufacturer. It could have unpatched vulnerabilities going back many months — or even years.
- Shadow IT: Shadow IT includes all devices and applications that the IT team doesn’t manage themselves. Because individual employees may have been performing their own IT for years, they may have introduced a range of malware or insecure apps into the company’s ecosystem.
- Inconsistent or Counterproductive Security Culture: How one organization values cybersecurity, as well as the behaviors of team members, can significantly affect its security culture.
2. Inconsistent Security Postures
Policies and technology are invariably different between two companies. For instance, one company may have an anti-shadow IT policy with an IT team that closely monitors and micromanages all installations. Another may allow employees to install their own software on company machines. Variances like these result in huge security disparities.
For example, Company A may use multifactor authentication (MFA) by incorporating a secondary, physical device into the sign-in process. This is one of the more secure ways of vetting those who connect. Company B may only use usernames and passwords for most, if not all, of their apps.
Company B may have dozens of compromised passwords, and attackers may have already gained a foothold in their infrastructure — or sold access to a hacker organization.
3. Compromised Assets
Breaches sometimes develop completely undetected over months. Therefore, some company assets may have already been compromised.
For instance, the infamous SolarWinds breach in 2020 went on for months before it was detected. With advanced persistent threats (APTs), the initial breach — in this case, credential theft through phishing — may often go unnoticed. With a merger, this possibility presents a dangerous threat. You can essentially buy a cyber grenade that explodes after the deal closes.
For example, an organization may already have an asset that has been compromised due to inconsistencies in its third-party security policies. The company may have granted a third-party vendor, such as a marketing company, access to a customer database. The third-party marketing team may have nothing but good intentions. But a relatively simple structured query language (SQL) injection attack on the database can result in data theft, sabotage or changes.
4. Data Privacy Minefields
Data privacy regulations often differ significantly, even if their high-level goals are essentially the same. Even if a company you’re acquiring complies with an apparently comprehensive, strict regulatory standard, it may fall short of meeting critical local requirements.
For example, the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) differ in that CCPA applies only to organizations doing business in California, whereas GDPR protects the data of European Union (EU) residents. But the differences don’t stop there.
The CCPA allows for more flexibility in how companies manage user information. Under CCPA, providing consumers with a data collection opt-out mechanism is enough to satisfy regulators. But GDPR requires that an organization get explicit consent from consumers before storing their data.
Therefore, an organization that’s CCPA-compliant may not be GDPR-compliant. A European company could end up inheriting a system that fails to meet GDPR compliance standards, thereby exposing itself to significant legal and reputational risks.
5. Insider Threats During Transition
When you combine departing employees and unclear access controls, you get a recipe for sabotage. During an M&A deal, anxiety and other emotions run high. People are afraid of losing their jobs. Some may want a backup plan and could use their company’s data as leverage.
For example, suppose there’s an M&A deal between a company that builds artificial intelligence (AI) solutions and a software organization. A longtime system admin for the AI company — with deep access to secret intellectual property — is afraid they might lose their job during a merger. They create a backup of the company’s code repository, including documentation around its vulnerabilities.
If they end up getting fired, that employee can sell the repository backup to a hacker organization on the dark web. The software company would then acquire compromised technology and a plethora of exposed vulnerabilities.
It’s essential to remember that these threats can easily go unnoticed. Unlike financial weaknesses or operational inefficiencies, there may not be any stats exploding like flares off a page of an audit.
The good news is that once you’re aware of the most pressing threats to look out for, you can begin preparing to mitigate your cyber risk — before the deal closes.
Ways to Mitigate M&A Cyber Risks Before Your Acquisition
Despite these and other threats, cybersecurity for mergers and acquisitions can drastically reduce your risk. For instance, you can:
Integrate Cybersecurity Into the Valuation Process
If a company has unmitigated vulnerabilities, such as legacy systems that are no longer supported by their manufacturer, the company’s valuation should be negatively impacted.
Stipulate Cybersecurity Terms in Your Contingencies
This can include postdeal compensation for threats discovered after an acquisition that started before the deal was finalized.
Conduct Thorough Preacquisition Cyber Audits
Conduct thorough cyber audits that include:
- Systems and Infrastructure: Examine the network architecture, including the apps deployed in the cloud, servers, and all endpoints.
- User Access and Authentication: What kinds of privileged access principles does the company employ? Which systems does it protect with MFA? How does the company revoke user access after employee termination?
- Security Incident History: All breaches and close calls should be documented and presented. Incident responses should also have been outlined, as well as postmortem analyses.
- Data Privacy Policies and Practices: The company you’re doing a deal with should be compliant with both the privacy policies for their jurisdiction and with yours. When this isn’t possible, a contingency should be included that accounts for compliance issues before the deal closes.
Conduct Red Team Simulations or Penetration Tests
Do red team simulations or engage with a third-party penetration testing company to push the company’s defense systems to the limit.
Involve IT Security Leaders Early
Involve leaders early to ensure their concerns and input become part of the decision-making process. If they identify technical debt, weak security systems, or other vulnerabilities, that input can protect you from closing an ultimately bad deal.
Assign a Cross-Functional Team
In addition to IT and cybersecurity, you should also bring your legal, compliance, change management, and HR teams to the table.
Even if your preacquisition due diligence is airtight, there may still be some postmerger issues to keep in mind.
Common Postmerger Cybersecurity Oversights
The other company’s security profile looks solid, and the deal gets the green light. That’s good news, but there are still some factors you’ll want to keep on your radar:
- Tech Stack Misalignment: Your operating systems may not work well with the other company’s software. Or some security tools may not integrate data from your existing enterprise resource planning (ERP) system.
- Delayed or Failed Integration of Security Tools: The other company’s security tools may not work well with your cloud or on-premises environment. Or, even if they are compatible, it may take time to get them up and running. M&A integration issues can significantly add to your IT team’s workload in the wake of a deal.
- Access Issues Across Merged Organizations: While granting access to employees from the other organization, you risk overprivileging that could result in additional internal threats.
- Lack of a Unified Incident Response Plan: Company A may choose to automatically discontinue access to the company network during a suspected breach. Company B may try to contain the breach without bringing digital operations to a halt. These different kinds of security approaches must be reconciled before the deal.
By factoring these considerations into your M&A cybersecurity strategy, you can mitigate their impact before the deal goes through.
The key to a successful M&A deal, from a cyber perspective, is to proactively identify vulnerabilities and potential integration issues before putting anything in ink. This is essential because cyber concerns should be integral to your business strategy. Security issues can easily undermine operations and undercut profits.
Identify Cybersecurity Issues Before Pushing an M&A Deal Forward
Mergers and acquisitions can move quickly. There’s also a lot of pressure — from both sides — to wrap things up. However, don’t let a tense environment lead to cybersecurity issues.
Instead, you should systematically review the security posture of the parties involved. Document all cybersecurity requirements and potential concerns in writing. Satisfying security problems should be as binding as ensuring financial solvency.
Cybersecurity for critical infrastructure is vital to everyday life, and it’s up to your organization to help keep it secure. Download our white paper for industry-based tips.
You’ll have numerous boxes to check, which will require time and energy. That’s where Centric Consulting’s experts come in. Our cybersecurity consultants can help you mitigate your M&A cyber risk before and after the deal. Learn how by talking with an expert today. Contact us
