Mergers and acquisitions (M&A) are a commonly adopted business strategy in the interest of value creation. Motivation for M&A varies and includes expanding operations, achieving cost advantage through economies of scale, or acquiring new technology, among others. Achieving this growth is not easy, however. M&A is a challenging transformation that requires thoughtful consideration and execution at all stages – prior, during and after completion of the transaction.
In today’s rapidly digitalizing environment, business leaders may need to re-evaluate the risks they consider when assessing the viability of corporate transactions and to prioritize cyber risk. Almost all organizations, from technology companies to hospitals and universities, face significant cyber risk – including the potentiality of a data breach or unauthorized access to the organization’s information systems. The consequences that cyber events can have on M&A have been widely published. For example, data breach disclosures by Yahoo in 2017 resulted in a $350 million reduction in the company sale price when acquired by Verizon.
Similarly, Starwood disclosed a security breach just days after their deal with Marriott was announced. This resulted in a 5.6% decline in Marriott’s share price, and Marriott now faces a potential fine of $200 million. These incidents underscore the reasons for taking a proactive approach to managing cyber risk throughout the M&A process. Most importantly, they clearly demonstrate that a well-planned and well-executed cybersecurity strategy makes good business sense and is essential to preserving the value that business hopes to generate through M&A.
To successfully manage cyber risk, business leaders can take the following steps at each stage of the M&A process:
1. Involve the right team
Cybersecurity experts play a vital role in the M&A process. Whether to conduct cybersecurity due diligence or to securely integrate the organizations involved, business leaders should ensure they have the appropriate expertise. This starts with a designated corporate officer, in many cases a chief information security officer (CISO), responsible for leading the cybersecurity efforts throughout the M&A process. The CISO’s efforts should be supplemented by internal subject-matter experts as well as third parties who provide in-depth assessments, such as penetration testing and data audits. For example, ADP, a management services company, when evaluating their potential acquisition of WorkMarket, deployed a team of cybersecurity, risk management and financial-crime specialists, and supplemented their own efforts by engaging a cybersecurity firm to conduct an independent evaluation.
Additionally, it is vital that cyber experts are involved from the start of the M&A process. This means giving the security team access to the target company from the beginning of the diligence effort so that they can interview management and examine the target’s technology, practices and policies. This early engagement will allow the security team to identify any “red flags” that may influence the investment decision or significantly impact the target’s valuation.
2. Holistically evaluate the cybersecurity capabilities of the target
Assessing the cybersecurity capabilities of an M&A target can no longer be decoupled from the due diligence process. An internal evaluation of the target organization’s cyber-risk tolerance will measure the maximum cyber risk the organization is able to take on and can inform its compatibility with the acquiring organization’s cyber-risk limits. But what should a cybersecurity assessment of the target include?
It is critical to recognize that cybersecurity is not merely a technological challenge. In addition to assessing technical capabilities, cybersecurity due diligence should involve a holistic evaluation of whether cybersecurity is appropriately embedded across the target company’s people, processes and technology: This means evaluating the target company’s cybersecurity culture, the importance that its staff attaches to cybersecurity, the robustness of the company cybersecurity policies and processes in place, and the company’s compliance with relevant cyber regulation. Conduct of a holistic investigation – via interviews, data requests or third-party audits – can reveal the particularities of the cyber risks to which a target company is exposed. In turn, this will help measure the impact that a merging or acquiring target will have on the acquiring organization and, as a result, will inform the transaction price.
3. Develop and follow a clear strategy to securely integrate
Cybersecurity considerations in corporate transactions do not end with the due diligence process. Once the deal is finalized, the organizations need to integrate into a single entity – the workforce, the cultures, processes and systems of both organizations. Cybersecurity is a vital consideration throughout the entire process as malicious cyber actors often look to capitalize on the security vulnerabilities driven by a lack of clarity or governance, inadequate system implementation or even personnel who may not understand how to securely operate new systems.
An integration strategy that effectively prioritizes cybersecurity should involve two stages: short-term integration and long-term integration. The short-term strategy, often referred to as “the first 100-day plan”, should prioritize higher cyber-risk areas such as access management and include the establishment of a monitoring process to enable identification and evaluation of cyber risks on a near real-time basis. The long-term strategy should aim to establish a more comprehensive solution including, but not limited to, an integrated security strategy and governance, clear management roles and responsibilities for security and ongoing training for personnel.
“Post-merger integration (PMI) efforts that do not appropriately consider cybersecurity are a train wreck waiting to happen,” says Walter Bohmayr, senior partner and head of the cybersecurity practice at Boston Consulting Group. “Business leaders need to develop and follow an agile integration plan to securely integrate the people, processes and technology of the two organizations. Otherwise, they risk not capturing the intended value from the transaction.”
4. Continue to develop cybersecurity capabilities
Managing cyber risk is an ongoing responsibility. The rapid evolution of technology brings with it an ever-evolving set of cyber threats and vulnerabilities. As a result, business leaders must regularly monitor, evaluate and adjust their cybersecurity strategy to keep pace with the changing threat landscape. This could mean upgrading technical capabilities to identify cyber threats, testing incident response and business continuity/disaster recovery plans on a regular basis, offering training to raise the capabilities of personnel, and collaborating with industry partners to share best practices. Above all, it is incumbent upon business leaders to chart a strategy that fosters a security-focused culture.