By David Barton, Chief Information Security Officer, Forcepoint
At the height of merger-mania, eager participants frequently viewed cybersecurity as an afterthought. “Let’s just make this acquisition work,” they’d reason, “and we’ll figure out how to protect everything once the deal is in place.”
But we’re now seeing a more cautionary approach take hold. In fact, global merger and acquisition (M&A) activity is falling off, with the value of deals totaling $1.71 trillion for the first half of this year, down from $2.09 trillion for the first half of 2015, according to research from Dealogic, a financial research/analytics company.
Even more telling: The value of withdrawn deals (those which were scuttled somewhere along the way) amounted to $606.4 billion for the first half of the year – a record high.
Cybersecurity has emerged as a driving factor in the trend: four of five M&A practitioners say they consider it as a “highly important” issue during the due diligence phase of deal-making, according to survey research from the business/tech consultancy of West Monroe and Mergermarket, an M&A-focused financial news site.
Despite the elevated attention, 40 percent of these professionals have encountered cybersecurity problems after a deal went through – which reveals that the due diligence process isn’t rigorous enough – and 77 percent say they’ve had to walk away from a deal due to data security issues at the targeted company.
In another survey from the international law firm of Freshfields Bruckhaus Deringer, 82 percent of dealmakers say the risk of cyber-attacks will change M&A procedures over the next 18 months.
Echoing the West Monroe/Mergermarket findings, the Freshfields Bruckhaus Deringer survey reports that nine of ten respondents believe breaches would result in a reduction in deal value and 83 percent say a deal could be abandoned if breaches are identified during due diligence or the transaction.
As an M&A veteran, I’m extremely encouraged to see the focus on enterprise threats during due diligence because – as stated – this hasn’t always been the case. There are essentially three stages of a merger: pre-announcement, announcement, and post-announcement.
Fortunately, more companies are concluding that they need to address cybersecurity from Day One of the “courtship,” or the very start of the pre-announcement period. With this in mind, here are three critical steps you should pursue in the initial stage:
Assess the cybersecurity programs of both organizations. The breadth and depth of the two programs will indicate whether we have a “perfect match”, or a potentially disharmonious pairing. Develop a questionnaire that will gauge a wide range of relevant issues about the respective information security policies.
The questionnaire should lead to discussions about which compliance activities both organizations are legally bound to, and what the internal controls look like.
Compare the governance models too – does one company employ an entire governance unit, while the other has simply designated a couple of IT guys who do governance in their spare time? Ultimately, you’re seeking to assess the information assurance maturity of both businesses, to ensure they align.
As part of this, you should appoint a person of influence as your primary M&A cybersecurity leader. This person will take charge of the process, driving the needed inquiries and working with CIOs, their IT teams and line of business leaders on both sides to collect the required information.
You may consider hiring a respected, outside third party to do this, to lend a sense of objectivity and authority.
Take a deep dive into the tech. Somewhere within the pre-announcement phase, you must carefully examine the technologies which support the programs/policies. Among the key questions to ask:
Do you encrypt your “crown jewels,” i.e. confidential and sensitive data about customers, key corporate functions and strategies? Where is it kept? Do you classify it? If you’re merging with a company committed to the latter, you can probably conclude that it’s doing a good job overall.
In addition, inquire as to whether the other organization has the right tools to conduct vulnerability assessments. IT teams need to “see” – and understand – what the inside of the network looks like.
They should be capable of determining if internal user activity on the internet and outbound network traffic is consistent with policies.
Talk to the people. Clearly, the awareness and practices of employees greatly impact the safety of your data. Whether via all-hands meetings, group discussions or training sessions, proactively launch conversations with staffers about this topic.
Let them know that – once the deal is announced – it is highly likely that hackers will hatch phishing and social engineering schemes, posing as someone from the other organization.
These crooks may, for instance, ask for a confidential report and/or gain users’ trust in order to compromise the network.
Employees must build absolute awareness about these ill-intended tactics and remain vigilant in their day-to-day usage of computers, devices, email, files, and the internet.
When you’ve implemented the three critical steps in the pre-announcement stage, you’ve set the table quite nicely for the other two.
During the announcement and post-announcement period, you can identify all “cybersecurity gaps” within your program evaluation and invest in the policies and tech tools which will close them.
As the consolidation progresses, the combined IT teams can work together to come up with a unified set of tech solutions and practices to defend the enterprise.
You also monitor user activity post-announcement. This activity will change in response to the M&A. It’s human nature. People are concerned about their department’s future and, obviously, their jobs.
With the right network monitoring products in place, however, you can distinguish what’s “different but allowable” and what may invite the risk of a threat (thus, different and unallowable).
When you “bake in” data defense from the very start of an M&A, you spare yourself of a tremendous amount of “buyer’s remorse” down the road.
Think about it: Throughout every phase, you’re scheduling lengthy meetings to review how to best combine merging units such as HR, finance, marketing/sales, research, and development, etc.
Why should cybersecurity be any different? It’s best to assure the protection of the “jewels,” after all, before bringing them together.
About The Author
David Barton is the Chief Information Security Officer for Forcepoint, responsible for securing the company and sharing our key learnings with customers.
Barton brings to his role more than 20 years of experience in security leadership across a variety of sectors including telecommunications, healthcare, software development, finance, and government.