Quantifying M&A Cybersecurity Risk

Sometimes they get it right, sometimes they don’t

With operations in transition, companies going through Merger and Acquisition (M&A) activities are frequently targeted for cyberattack. The high-value data of publicly-held companies is especially vulnerable, as it offers potential for media coverage and both short- and long-term rewards for threat actors. Not surprisingly, acquirers with mature M&A practices will integrate this risk into their due diligence valuation using multi-factor estimation guides such as industry risk, security policy and company breach history. Sometimes they get it right, sometimes they don’t….and some companies will avoid cybersecurity due diligence altogether.  A recent Accenture study revealed that 92% of CIOs reported that their cybersecurity due diligence uncovered key risks or resulted in a material impact in their deals. Yet, even with the stakes this high, there are a number of reasons why companies either postpone or discount the urgency of conducting a cybersecurity check as part of the M&A due diligence process. It may be a lack of understanding the potential deal impact, or a desire to restrict how many people are aware of the potential merger/acquisition. Whatever the reason, the significance should not be overlooked.

Is the Pain Worth the Gain?

Quantifying cyber vulnerability and the potential financial and reputational impact is challenging at best and downright impossible for most without a skilled team of data and actuarial scientists. However, acquiring companies armed with this insight have a powerful negotiation tool in their belt — the knowledge to determine when the stakes are too high and it’s better to step away from the table. If a cybersecurity liability is revealed in the pre-acquisition due diligence stage, it may prevent serious damage to both organizations.  Then again, even when including risk and security expertise in the due diligence process, participants may assume that going through the arduous task of calculating risk is the only answer. In reality, easier than calculating the estimated cybersecurity risk associated with impending M&A activity is conducting an actual Cyber Due Diligence Assessment and mitigating the exposure altogether… 

M&A Activity Heightens Cybersecurity Risk

From early in the evaluation to after the close, there are heightened risks of cyberattack for companies in transition. At each stage, and for each type, it is important to understand the implications to avoid damages. 

Pre-Merger Operational Risks: Because many early-stage companies are focused primarily on product development and initial growth, cybersecurity can mistakenly take a backseat to other concerns when fighting for constrained resources. When a merger or acquisition seems evident and it is time to get the house in order, systems, policies and procedures are brought up to standard. But what about the errors from the past? Are there data leaks that may have already occurred, that are now only waiting to be found? Or, are there long-forgotten, exposed attack surfaces that only need a bit of publicity to be illuminated for cybercriminals to find? To ensure all mistakes of the past are accounted for, during the due diligence evaluation it is recommended that the acquiring company conduct a Cyber Due Diligence Assessment

Post-Merger Operational Risks: Combining the IT systems of merged companies is incredibly complex. It can take many months, even years. During the data migration and integration process, data is frequently transferred via shared sources such as cloud buckets and FTP servers. The high potential for sensitive and valuable data exposures during this time of transition can be an attractive target for threat actors on the lookout for exposed attack surfaces and data leaks. Ensuring you have no unknown vulnerabilities outside your security perimeter is critical to ongoing success. Continuous monitoring for accidental data leaks and shadow IT exposures is essential, as threat actors are watching every move a company makes at this critical stage. CybelAngel’s External Attack Surface Management (EASM) Solutions scan the internet every 24 hours to identify, assess, score, investigate, and remediate any and all external exposures.  

CybelAngel’s M&A Due Diligence Assessments and EASM Solutions scan the depths of the Internet and Dark Web to uncover any unknown vulnerabilities or attack surfaces leaked by accident or with ill intent — uncovering and helping you to mitigate open ports (ie. developer websites or shared drop box sites) and eliminate access to rogue information (ie. past employee passwords) that could open the company to incalculable risk. CybelAngel’s Due Diligence Assessment includes a Cyber Risk Report of exposed information, and a Cyber Incident Report, which looks for risks that could impact the valuation or brand reputation. To learn more, speak to a CybelAngel expert today. Click here for more information on M&A Cybersecurity Due Diligence