Security Reviews During Mergers and Acquisitions (M&A)

In 2023, Cisco acquired Splunk for a staggering $28 billion, making it the biggest acquisition in cybersecurity history.

Within the billion-dollar market of Mergers and Acquisitions (M&A), compliance and security stand as a critical determinant for the success and stability of major transactions. The merger or acquisition of two companies not only presents growth opportunities but also significantly opens up security risks and vulnerabilities.

According to the 2020 IBM Benchmark Insights, more than one in three executives said they experienced data breaches that can be attributed to M&A activity during integration.

Understanding security reviews in M&A

Mergers and acquisitions can significantly influence market dynamics, business partners, and shareholder interests. Amidst these high-stake transactions, robust security reviews are paramount to mitigate risks and protect sensitive assets.

In 2015, Verizon slashed Yahoo’s deal price by $350 million during the evaluation phase due to two massive security breaches. This incident remains one of the most well-known M&A valuation catastrophes to date.

Security reviews often focus on the following critical areas during mergers and acquisitions:

1. IT infrastructure and network security: Evaluating the robustness of IT infrastructure and network architectures.
2. Data privacy and protection: Upholding data privacy and comprehensive security standards.
3. Regulatory Compliance: Both companies need to adhere to regulatory frameworks, from industry-specific mandates to global standards.
4. Intellectual Property (IP) Security: Safeguarding intellectual property assets against infringement, misappropriation, and unauthorized access.
5. Third-party and Supply Chain Security: Assessing cyber resilience of third-party partnerships and supply chain networks.

With thorough security reviews, you can build assurance and proactively address gaps in your security and GRC frameworks. This approach helps prevent potential issues by identifying and mitigating risks early on, ensuring a stronger and more compliant security posture.

Engaging CISOs in the M&A lifecycle

Navigating the complexities of M&A transactions can be challenging, particularly due to security risks and compliance challenges. Chief Information Security Officers (CISOs) and their teams are crucial for safeguarding data and should have a prominent advisory role throughout the M&A lifecycle.

Unfortunately, CISOs are often informed of acquisitions relatively late in the cycle, exposing the organization to significant risks, such as breaches occurring immediately after the acquisition.

There are several reasons why companies delay or disregard engaging security experts during M&A, including:

• Limiting the number of people who know of impending mergers.
• Underestimating security considerations during the early stages of M&A lifecycle.

Restricting knowledge of potential mergers and acquisitions is understandable during the pre-acquisition phase. However, excluding security domain experts during this stage can be problematic, as security and compliance issues represent potential liabilities and cyber threats in M&A.

Only 60% of organizations have CISOs and InfoSec teams assessing the security posture of potential targets early in the M&A lifecycle, according to IBM’s Benchmark Insights. If CISOs are involved up front, they can assess the target company’s security and identify risks early on.

To learn more about CISO’s approaches in crafting effective security practices, listen to our podcast featuring Matt Sharp, CISO at Xactly Corp.

The M&A due diligence process

Nearly 60% of firms involved in M&A transactions in 2020 considered cybersecurity posture a critical part of their due diligence processes. Maintaining security compliance in mergers should be a top priority through every phase of the due diligence process.

Pre-acquisition phase

In this phase, it’s important to understand the acquisition in terms of business goals and brand objectives, and articulate how they are enabled by security.

The due diligence process starts with a review of the target company’s security posture along with an analysis of past security incidents and data breaches. This phase involves evaluating security policies, procedures, and any related vulnerabilities.

In 2017, Uber revealed a data breach that exposed 57 million customers' information. Uber’s lead security executive paid hackers a $100,000 ransom to delete data and keep the breach quiet. This incident impacted Uber’s deal with SoftBank, closing the deal at $48 billion, a 30% drop from the initial $68 billion valuation.

Assessing undisclosed information

To eliminate risks on all levels, it’s crucial to review the “dark web” — a part of the internet that is not accessible by typical search engines. Estimates suggest that about 60% of the dark web contains materials that can harm B2B operations and compliance. If your team doesn’t have the expertise or resources to conduct this level of security research, it’s recommended to work with a third-party consulting firm that specializes in these types of reviews.

Acquisition phase

During the acquisition phase, the security team performs a comprehensive evaluation of the target company’s security infrastructure. Businesses should conduct a deep dive security audit to uncover any hidden vulnerabilities and ensure a smooth transition. Penetration testing and vulnerability assessments are performed to simulate potential cyber-attacks and address any security gaps before they can be exploited.

Post-acquisition phase

After the acquisition is finalized, the security frameworks of both companies are integrated into a single entity. This involves aligning policies, standards, and compliance frameworks to create a unified approach in security practices. However, without proper due diligence and continuous monitoring post-acquisition, businesses are prone to inherited risks.

In late 2018, Marriott hotel chain announced a massive data breach two years after it acquired Starwood. Following investigation, it was revealed that Marriott continued to use the IT infrastructure inherited from Starwood, which had already been breached by hackers and infected with malware. This oversight led to the compromise of an estimated 500 million guest records, including credit card and passport details.

AI and the future of M&A cycles

AI and big data are reshaping strategic decision-making in M&A. Key milestones in the M&A lifecycle, such as due diligence and target identification, continue to be optimized by artificial intelligence. This allows more enterprises to focus on stakeholder communication, negotiation, and other business processes.

A study by Carnegie Mellon University shows how utilizing M&A deals and financial disclosure in Natural Language Processing Systems (NLPS) can significantly enhance predictions of corporate acquisition targets.

Over the next few years, AI models will become more sophisticated in predicting market movements and identifying strategic growth opportunities.

AI and due diligence

For over two decades, the use of virtual data rooms (VDRs) and the amount of data stored in those VDRs have transformed the due diligence process.

AI and ML can analyze large datasets and conduct thorough due diligence with higher speed, depth, and accuracy. This includes financial risk analysis, vulnerability assessment, and even assessing cultural fit between companies. Natural Language Processing (NLP) algorithms can extract key information from documents, making it easier for teams to identify risks and opportunities.

Deloitte’s 2024 M&A Trends Survey shows that 99% of organizations have begun incorporating Generative AI into their deal-making process. Generative AI can simulate various scenarios based on historical data and predict potential outcomes, helping decision makers in assessing the risks of an acquisition.

M&A security challenges and best practices

M&A common security challenges

Security risks can inadvertently jeopardize the success of mergers and acquisitions. To ensure a smooth integration, it is crucial for the security team and leadership to align on potential risks and mitigation strategies.

Here are some tell-tale signs that can put business deals at risk.

1. Incomplete or inaccurate information: During the due diligence phase, the acquiring company may not receive a complete picture of the target company’s security posture, including undisclosed vulnerabilities or past breaches.
2. Resistance from the target company: Resistance and lack of cooperation from the target company’s IT and security teams can impede the integration process and expose the company to threats.
3. Integration complexities: Merging disparate security infrastructures is a complex task that involves aligning different systems, protocols, and technologies to ensure seamless security.
4. Differences in security practices: Each company may have distinct cybersecurity cultures, policies, and practices. Aligning these can be difficult and time-consuming, which can easily be exploited by attackers. In 2016, Hershey rejected a $23 billion Mondelez merger offer. This was as a result of Hershey’s commitment to its core values and long-term strategic vision, prioritizing its mission over potential short-term financial gains.
5. Third-party agreements and risks: The acquisition process often involves third-party vendors and partners who can introduce unexpected threat vectors to the newly merged or acquired company.

M&A security best practices

For organizations considering acquisition, it’s important to develop comprehensive M&A protocols to cover all aspects, including potential risks, undiscovered vulnerabilities, and post-acquisition reviews.

Consider these strategies to manage security risks in mergers and acquisitions.

1. Establish a dedicated M&A security team: Engage your CISO and security teams to form a specialized team focused solely on managing security aspects, so any emerging issues can be promptly addressed.
2. Early and continuous security involvement: Integrate security considerations early in the due diligence phase and maintain continuous involvement throughout the M&A lifecycle.
3. Watch out for dormant attackers: Conduct thorough scans and audits to detect any dormant threats within the target company’s network. Identifying and neutralizing these threats can prevent potential breaches.
4. Comprehensive documentation and reporting: Maintain detailed documentation of all security measures, assessments, and decisions made during the M&A process.
5. Leverage third-party security experts: Utilize external firms to conduct independent assessments. Sometimes, external experts can help identify issues that internal teams might overlook.

Managing the M&A lifecycle

Managing security during M&A must be an ongoing process throughout the entire acquisition lifecycle. The more due diligence a company performs during M&A, the better they will be able to reduce risks, protect the company’s assets, and ensure a smooth transition.

At SecurityPal, we handle the due diligence process with meticulous attention to detail and a thorough assessment. Our commitment ensures that every step is precise and reliable, unearthing hidden risks and possible fines before they affect you.

Subscribe to our newsletter for monthly updates on security, GRC, and GTM.

‍