A new study suggests that CIOs and business decision makers should pay greater attention to cyber risks when considering an M&A deal
Cybersecurity issues are increasingly becoming a concern in merger and acquisition (M&A) deals, shows a new research report. The study conducted by Forescout suggests that IT and business decision makers should pay greater attention to this aspect, when they consider an M&A deal.
The research of more than 2,700 IT and business decision makers surveyed by Forescout Technologies. in seven countries, including India 53% reported that their organization had encountered a critical cybersecurity issue or incident that put an M&A deal in jeopardy. And 65% of respondents said they had experienced buyers’ remorse because of cybersecurity concerns after closing a deal.
A good example can be the Verizon acquisition of Yahoo in 2017, where following Yahoo’s security breach disclosures, there was a USD 350 million acquisition price cut.
Cyber risks put M&A deals in jeopardy
There have been a number of challenges and risks involved in various merger and acquisition (M&A) deals over the years. While financial and cultural risks in an M&A process have always made headlines (and still exists), the most recent spike seen in present day is - Cybersecurity risks - one that decision makers must consider.
As Julie Cullivan, CTO and chief people officer, Forescout believes, “M&A activity can be a game-changing moment in a company’s history, but recent breaches shine the spotlight on cybersecurity issues and make one thing abundantly clear: you don’t just acquire a company, but you also acquire its cybersecurity posture and a potential Trojan horse.”
Here are some key takeaways of the study:
Less time to review, evaluate deals: Proper cybersecurity evaluation takes time, but acquisitions often run on fast track, says the study. For instance, many deals face a race to get across the finish line. Only 36% of respondents strongly agree that their IT team is given adequate time to review a targets’ cybersecurity standards, processes and protocols before completing an acquisition.
Cybersecurity is now a top priority: More focus on cybersecurity risk during M&A is need of the hour. And this is something 80% of business and IT decision makers interviewed have also agreed. Say, 65% respondents said that they are putting more focus on an acquisition target’s cybersecurity posture than in the past, highlighting that cybersecurity is a top priority.
IoT and human error put organizations at risk: When asked what makes organizations most at risk during the IT process, CIOs say, it is both human error and configuration weakness (51%) and connected devices (50%) that cause the jeopardy. According to most CIOs, services often get overlooked during integration (and after integration of a new acquisition) due to the rise unaccounted devices, including IoT and OT devices. Researchers suggest, a company should not automatically trust the hygiene of IT assets. It’s critical to have full visibility into all connected devices and determine whether they are patched, configured properly and free of malware.”
Prevalence of cybersecurity issues: More than half (53%) of survey respondents report their organization has encountered a critical cybersecurity issue or incident during an M&A deal that put the deal into jeopardy. Further demonstrating the potential consequence of a security incident, undisclosed data breaches have become a deal breaker for most companies. 73% of respondents agreed that a company with an undisclosed data breach is an immediate deal breaker in their company’s M&A strategy.
Internal IT teams may lack the skills to conduct cybersecurity assessments: Among CIOs, only 37% strongly agree that their IT team has the skills necessary to conduct a cybersecurity assessment for an acquisition. Due to lack of resources, organizations must allocate outside resources to their cybersecurity assessments and/or may not be able to complete a robust assessment.
Cyber assessment becomes essential
At a glance, cyber is recognized by CIOs and business decision makers as something they need to pay attention to, because if they don’t, it could stop a deal in its tracks, or result in major financial losses or reputational damages down the road, cautions Cullivan. The CIO, she believes along with the board and other decision makers can play a role in smoothing this process.
In view of this, Cullivan believes that cyber assessments should be a major part of the acquisition evaluation. It is absolutely critical that the assessment of a target company’s cyber posture and the evaluation of potential vulnerabilities start from the very beginning of the M&A process and continue through integration and post-integration.
“It’s important to remember that even if the initial evaluation does not find any significant cyber risks, the target company will continue to operate—with current employees, customers, vendors and the connected world at large—throughout the M&A process. And, at any point, the target company’s assets and devices could become vulnerable,” she cautions, adding that apart from continuous training (on integration and IoT devices etc) and evaluation (on the cyber security strategies), it can be very difficult to develop and maintain a comprehensive view of cyber risks.