In the business world, mergers and acquisitions are commonplace as businesses combine, acquire, and enter various partnerships. Mergers and Acquisitions (M&A) are filled with often very complicated and complex processes to merge business processes, management, and a whole slew of other aspects of combining two businesses into a single logical entity.
In the modern business world before and after the acquisition, a new concern with M&A activities is cybersecurity. What role does cybersecurity play in today’s mergers and acquisitions of businesses? Why is it becoming a tremendous concern?
Cybersecurity threats are growing in leaps and bounds
There is no question that cybersecurity risks and threats are growing exponentially. A report from Cybersecurity Ventures estimated a ransomware attack on businesses would happen every 11 seconds in 2021. Global ransomware costs in 2021 would exceed $20 billion.
It seems there are constantly new reports of major ransomware attacks, costing victims millions of dollars. Earlier this year, the major ransomware attack on Colonial Pipeline resulted in disruptions that caused fuel shortages all over the East Coast of the United States. It helped to show that ransomware attacks on critical service companies can lead to real-world consequences and widespread disruption.
This world of extreme cybersecurity risks serves as the backdrop for business acquisitions and mergers. A Gartner report estimated that 60% of organizations who were involved in M&A activities consider cybersecurity as a critical factor in the overall process. In addition, some 73% of businesses surveyed said that a technology acquisition was the top priority for their M&A activity, and 62% agreed there was a significant cybersecurity risk by acquiring new companies.
Risks associated with Mergers & Acquisitions
What risks are associated with mergers and acquisitions? There are several that include but are not limited to the following:
- Increased regulatory scrutiny
- Inherited cybersecurity risks
- Compromised accounts and passwords
- Lost or damaged customer confidence
- Data breaches in the acquired environment
Increased regulatory scrutiny
Compliance regulations, like cybersecurity, are growing more complex and challenging for businesses. For example, regulators scrutinize business deals, including mergers and acquisitions, to help protect the growing emphasis on data sovereignty and data privacy.
From a cybersecurity perspective, businesses that merge or acquire other organizations must make sure data compliance is a top priority to prevent fines for non-compliance.
Inherited cybersecurity risks
Companies must realize that even if they have a robust cybersecurity posture for their organization, the security dynamic can completely change with mergers and acquisitions. As a result, they inherit the cybersecurity challenges and issues of the acquired business.
The acquiring company inherits existing vulnerabilities, standards, risks, and cybersecurity liability as they assume control of the new business.
Compromised accounts and passwords
As was the case with the Colonial Pipeline hack in May 2021, compromised account passwords are often the culprit behind major data breaches and ransomware attacks. As a result, businesses must understand securing acquired accounts and directory services immediately and implementing breached password protection is a priority.
Scanning the newly acquired environment for password vulnerabilities, reused passwords, breached passwords, and other password threats can help to quickly bolster the cybersecurity stance of the acquired user account assets.
Businesses that have combined due to a merger or acquisition may federate Active Directory accounts between them to access various resources. Password synchronization between on-premises and cloud directory services may also be in play. It further emphasizes the need to strengthen password security as accounts are granted access to additional business-critical resources.
Lost or damaged customer confidence
Businesses must take care of any merger or acquisition from a customer perspective. Any misstep, including handling cybersecurity during an acquisition or merger, can lead to customer mistrust and lost business.
Data breaches in the acquired environment
As mentioned earlier, the acquiring company that has merged or acquired another company inherits the cybersecurity challenges and risks of the newly acquired environment. These risks include any potential data breaches. Knowledge of a data breach event can even stall or block a potential merger or acquisition once known. Data breach events can also go undisclosed to prevent any issues with the merger or acquisition.
Cybersecurity and compliance checklist for M&A
- Form an M&A cybersecurity team
- Review the target business cybersecurity posture
- Inventory all physical, digital, and data assets of the target organization
- Revisit the risk assessment
- Engage a third-party security company
1 — Form an M&A cybersecurity team
Businesses often have excellent reasons for engaging in M&A activity. However, as discussed thus far, it can lead to additional cybersecurity risks. Forming an M&A cybersecurity team is a great idea to accelerate addressing the cybersecurity tasks involved with the M&A. This team may report to the CIO and should undoubtedly include cybersecurity leaders found on the security teams and key business leaders within the organization.
This team will be directly responsible for formalizing the reporting structure for addressing the cybersecurity risks discovered with the M&A activity. The team will also help to align the overall business on both sides for a consistent cybersecurity posture.
2 — Review the target business cybersecurity posture
The M&A cybersecurity team mentioned above will be instrumental in reviewing the target business cybersecurity posture. The review of the target organization’s cybersecurity landscape should include:
- A cybersecurity risk assessment
- Review of security policies and procedures
- Recent audit reports
- Any breach reports that have happened recently or in years past
- Audit of accounts and account access permissions across the organization
3 — Inventory all physical, digital, and data assets of the target organization
To properly understand the cybersecurity risk involved with an M&A of another organization, businesses must understand the complete inventory of all physical, digital, and data assets. Understanding and having a comprehensive inventory of these items allow full disclosure of the cybersecurity risks involved.
4 — Revisit the risk assessment
Any M&A activity means an organization needs to revisit its risk assessment. Even a recent risk assessment has now changed due to the reasons we have already covered (inherited cybersecurity risk, any security or compliance challenges, etc.).
5 — Engage a third-party security company
The M&A cybersecurity team may include a wide range of technical expertise with a wealth of experience in many cybersecurity disciplines. However, even with talented team members, organizations may opt to engage a third-party security company with the technical and staffing resources to help with cybersecurity discovery, remediation, combining security resources, and many other tasks.
Quickly manage M&A password security
Password and account security can be challenging to manage and secure during a merger or acquisition of multiple companies.
One of the blind spots with any merger or acquisition can be weak, reused, or even breached passwords lurking as a hidden cybersecurity threat.
By bolstering password security in target environments, businesses can protect mergers and acquisitions from one of the most common vulnerabilities leading to compromise.