Cybersecurity Assessments are key to today’s Mergers & Acquisitions

If you’re in the Mergers & Acquisitions business, you’ll want to get the facts by continuing on to read this blog.

The Facts

The average cost of a data breach is $3.86 million.

The average cost per lost or stolen record in a data breach is $148.

The average time it takes to identify a data breach is 197 days.

The average cost savings with an incident response team protocol is $14 per record.

Companies that contain a breach in less than 30 days saved more than $1 million compared with those who took longer.

Consider This:

Mid-sized companies are a prime target for hackers.

In 2018, 71% of cyber-attacks occurred in businesses having less than 100 employees.  Many mid-sized companies believe they are immune to the threats of cyber hackers.  In fact, these companies are prime targets because small and mid-sized companies do not devote the same resources to cybersecurity compared to large corporations. Hackers often attack mid-sized companies to find easy access into larger ones.

The Target Corporation was breached in November 2013, but the breach was not discovered for several weeks, resulting in the compromise of 40 million credit and debit card numbers and personally identifiable information of 110 million customers.  Hackers gained access through a smaller, third party HVAC vendor, which then allowed them to gain access to its point- of-sale payment card readers.

While studying the economic factors in a merger & acquisition, did you evaluate the cyber implications?  

Cybersecurity has become one of the biggest risks in business today. Security incidents have exposed sensitive or strategic data, disrupted operations, incurred legal penalties, damaged customer loyalty, and caused irreparable harm to company brand and reputation.

During a merger & acquisition, the primary focus, historically, has been on the financial implications of this transaction.  However, one important, and often overlooked aspect, is the study/evaluation of the cyber implications.

What would happen, if it was discovered, after the M&A is completed, that a security breach had occurred, in either, or both, entities?

It is critical to understand the nature and significance of the target company’s M&A security vulnerabilities, the potential scope of the damage that may occur (or that already has occurred) in the event of a breach, and the extent and effectiveness of the cyber defenses the target business has in place.  An appropriate cyber security assessment of these issues could have a major impact on the value the acquirer places on the target company, as well as the way it structures the deal. Investors must place a higher value on the cyber resilience of a potential acquisition.  If an acquisition took place, and the systems are breached after closing the deal, the acquisition value could suffer significantly which is why it’s vital to conduct cybersecurity assessments.

Some Major Security Breaches Resulting in Consequences to a Merger & Acquisition:

• Marriott Hotels, 2018 – The breach was reported in Nov 2018, however, it actually occurred on the system supporting the Starwood Hotels in 2014, exposing personal information (including payment card information). The attackers remained in the system after Marriot acquired Starwood Hotels in 2016, and were not discovered until September 2018.
• Uber, 2016 – When the breach was announced, Uber was in negotiations to sell a stake to SoftBank. Uber’s valuation is estimated to have dropped $20 Billion, with a significant factor being the data breach.
• TripAdvisor, 2014 – Shortly after TripAdvisor completed the $200 million acquisition of Viator, attackers breached the system, affecting the information of 1.4 million customers. TripAdvisor did not uncover the breach themselves. Their payment card service began receiving unauthorized charges on customer credit cards.  This breach resulted in significant remediation costs for TripAdvisor, and directly affected its stock price and reputation.

Best Practices BEFORE A Merger & Acquisition

1. Make cybersecurity part of due diligence.

When reviewing a potential acquisition target, good financial and operational due diligence is important, particularly focusing on the company’s cyber-resiliency.  Attacks occurring after the close of a transaction, or undetected attacks prior to the close of the transaction, are costly to resolve.  The cybersecurity measures already in place by an acquisition target should be reflected in their valuation, risk profile and overall assessment of operational strength.

2. External protection alone is not adequate.

When assessing an organization’s cyber strength, do not assume that having protection from external attackers is enough to provide security. Many companies believe that having external cyber protection in place is adequate to ward off hackers. Companies must address internal threats such as human error, which is a frequent cause of security breaches. A prime time for hackers to strike is immediately after an acquisition or merger. New employee names and titles often cause uncertainty and confusion, allowing hackers additional opportunities to gain system access.  Identifying security vulnerabilities during the due diligence process can be invaluable to the entire process.

3. Compliance does not equal security.

Many companies are required to comply with standards such as PCI, SOX, FISMA, and HIPAA.  It is important to remember that being compliant only satisfies specific requirements given by a regulatory agency.  Compliance does not protect your organization from security threats, or penalties that could result from a data breach.

4. Third parties must meet cybersecurity standards.

In 2015, 63% of data breaches were linked to a third-party business partner. Weaknesses in business partner systems with direct connections into the acquisition target, can become an access point for hackers. When assessing the cyber resiliency of an acquisition target, analyze third parties, cloud applications and business partners, to ensure they follow cybersecurity best practices.

5. Prepare for post M&A.

Mergers and acquisitions create new opportunities for hackers. As companies are acquired or merged, changes are made to IT infrastructures, creating gaps in information security systems, policies, procedures and safeguards. Companies need to implement best practices, to minimize security risks, and ensure a smooth system integration

Take the First Step

Contact Vestige to perform an IT Assessment to determine the “cyber health” of the IT system. Through this cyber security assessment, you’ll learn the strengths, weaknesses and risks prior to the merger or acquisition of a company.