The mergers and acquisitions (M&A) market saw activity slowing in 2022 as new challenges emerged, including rapidly accelerating inflation and interest rates, lower stock prices as well as an energy crisis deepened by Russia–Ukraine conflict. Despite this outlook, 2023 forecasting is more optimistic, returning to normal levels, writes Nehal Thakore, Country Head UKI, at Bosch CyberCompare.
M&A is frequently a complex, costly, and risky process. It involves combining two (or more) businesses into one and requires a lot of legal, financial, and operational considerations. However, cybersecurity is one of the key considerations that should not be overlooked. In order to ensure the success of an M&A transaction, businesses should look to protect their systems, networks, and data.
It is important for companies to be aware of the potential risks and to implement appropriate safeguards to protect against cybersecurity breaches.
Cyber risks in Mergers & Acquisitions
In 2022, 31 per cent of businesses estimated they were attacked at least once a week. When it comes to M&A, cybersecurity threats are particularly high. This is because the merger or acquisition of two businesses involves the integration of two separate systems, networks, and programmes.
As a result, there is a greater risk of data breaches, malicious software and other cyber attacks. In addition, the integration of two businesses can create new vulnerabilities that attackers can exploit, which increases the risk of a data breach. To address this, cybersecurity should be integrated into all stages of the M&A process, including the planning and negotiation phases. This can help ensure that any potential risks are identified and addressed before the acquisition is completed.
Identifying and mitigating cyber risks
Cyberattacks caused by exploiting vulnerabilities have started to increase. Businesses must conduct a thorough security assessment of the two businesses and identify any potential weak points to minimise risks. Once these vulnerabilities have been identified, appropriate steps must be taken – such as implementing security protocols, deploying the right technologies and conducting regular security audits.
Furthermore, it is important to engage with the target company’s security team. Establishing a close working relationship helps decision-makers to understand their current security controls, processes, and policies, as well as any identified vulnerabilities or risks. Consider how the M&A event will impact the acquiring company’s existing security controls and regulatory and compliance requirements and determine if any changes such as streamlining need to be made to ensure the overall security posture remains strong.
Developing a strategy for M&A
Once businesses have assessed their cybersecurity needs, they can develop a comprehensive cybersecurity strategy for their M&A. Alarmingly, fewer than a quarter of UK businesses (23pc) have a formal cybersecurity strategy in place. This strategy should include best cybersecurity practices, measures to protect systems and networks, as well as measures to safeguard sensitive data. For example, businesses must consider the use of encryption to protect their data, or the use of firewalls to protect their networks.
There’s no denying that budget allocation plays a crucial role in forming a cybersecurity strategy. It is difficult to provide an average expenditure on cybersecurity allocated during M&A as the amount can vary significantly depending on a variety of factors such as – the size of the company, complexity of the M&A process, industry environment, threat surface, vulnerabilities and potential risks. Usually, companies allocate a larger budget for cybersecurity during M&A to ensure that they are adequately protected against potential threats. This can include conducting cybersecurity assessments and implementing appropriate safeguards, such as firewalls, intrusion detection systems, and security protocols.
Data privacy is another key cybersecurity consideration for businesses engaging in M&A activities – with only 53pc of organisations claiming to have implemented robust and resilient data security. When data is shared between two businesses, there is an increased risk of a data breach or other cyber attack. As a result, businesses should take steps to ensure that any data shared between the two businesses is properly protected.
Holistic approach
Businesses must take certain steps to ensure a high level of cybersecurity throughout all stages of M&A – pre-acquisition, during-acquisition, post-acquisition. Ahead of acquisition, the acquirer must conduct an in-depth review and assessment of the company being acquired. This includes assessing the company’s cybersecurity requirements, vulnerabilities, undisclosed breaches, current security protocols and cybersecurity strategy and their potential impact on the parent company post the M&A transaction.
Following a thorough review, the acquirer must consider the required steps that need to be taken to ensure a high level of cybersecurity. In addition, businesses must ensure that security teams and CISOs from all the parties are introduced and involved in the process right from the beginning. In many scenarios CISOs are introduced very late in the deal lifecycle, either to protect the knowledge of planned mergers or due to complexities and financial implications of M&A. However, it is very risky to exclude domain experts of compliance and security as any unaddressed concerns could result in expensive liabilities.
Once the M&A transaction is complete, organisations must reassess the vulnerabilities and work collaboratively to develop a detailed plan for integrating their security posture into the acquirer’s overall security posture. Following integration, organisations should then look out for any new vulnerabilities using advanced monitoring tools.
Third-Party Vendors in M&A cybersecurity
Remaining non-bias is crucial when tendering possible cybersecurity solutions. Third-party vendors can play an important role in M&A cybersecurity. They can provide businesses with the expertise and resources they need to protect their systems, networks and data. This could include the use of monitoring and alerting services or encryption services. Additionally, third-party vendors can provide businesses with the necessary skills and resources to develop and implement a comprehensive cybersecurity strategy. Finally, third-party vendors can provide businesses with the tools and resources to ensure data privacy. By taking advantage of the services provided by third-party vendors, businesses can ensure the success of their M&A activity and protect themselves from the risks of cybersecurity. Small (58pc), medium (55pc), and large (60pc) businesses outsource their cybersecurity to an external supplier, citing access to greater expertise, resources, and standards for cybersecurity.
Final thoughts
By considering the cybersecurity risks and priorities at each stage of the deal process, businesses can mitigate the threat of cyberattacks, avoid overspending on security and maximise the return on investment. Cybersecurity due diligence is crucial; it is important for organisations to conduct thorough cybersecurity due diligence before an M&A deal to identify any potential vulnerabilities or weaknesses that could impact the security of the combined organisation.
