Cybersecurity Issues Are M&A Deal Breakers

Even as one-time Internet giant Yahoo is swallowed in a $6.5 billion acquisition, merger and acquisitions (M&A) experts have warned that due-diligence audits of companies targeted for acquisition often reveal cybersecurity risks that compromise compliance and could threaten the merger and acquisition activities.

The warnings come in the wake of research, compiled for West Monroe Partners by research firm Mergermarket, that found 70 percent of acquisition targets had compliance issues and nearly half lacked comprehensive data security architectures.

Audits had revealed an abundance of security issues when companies were closely examined by potential acquirers: fully 37 percent of respondents said they had seen targets prove to be vulnerable to insider threats, with 27 percent lacking a data-security team and 17 percent having weak employee password policies.

A third of respondents said they had previously found inadequate mobile security at target companies, while 30 percent had found problems with local server storage and 20 percent had issues with vulnerable cloud storage.

There is no telling what cybersecurity issues emerged during Verizon's examination of Yahoo's internal systems in the lead-up to the clinching of the deal. However, the massive acquisition is likely to have surfaced more than a few outstanding issues that needed to be addressed.

Such findings can often have a material impact on the terms of an acquisition, with 20 percent of respondents saying they would use such findings to negotiate better terms including a lower purchase price.

“To protect themselves from security lapses, acquirers are turning to vigorous due diligence to examine the IT infrastructure of deal targets,” the report notes. “Diligence procedures are quickly expanding and improving – but many companies continue to identify shortcomings in the process.”

Reflecting this expanded focus, some 77 percent of survey respondents said that the importance of security of data at M&A targets had increased dramatically over the past two years, with the considerable costs of data breaches driving acquirers to take an increasingly proactive stance that can also result in deals being iced if a potential acquirer’s cybersecurity defences aren't up to scratch.

And that, the report's authors concluded, is an all too frequent finding once potential acquirers start digging deep into systems that have often struggled to get meaningful funding in the long term. Yet the presence of cybersecurity issues in and of its own is not a deal-killer; only one-third of respondents said they use the information gained in cybersecurity audits to decide whether to go ahead with the deal.

Rather, the key is to evaluate how much impact those issues will have on the business and how easily they can be remedied; some 47 percent of respondents said they used due-diligence findings to start planning for fixes to the problems they identified.

“It's realistic to expect most M&A targets to have a few cybersecurity issues,” the report's authors concluded, noting that a proper due-diligence exercise must examine “the full gamut of risks” including breach history, specific data threats, problems for integration, and the cost of potential fixes. “The key is identifying them and determining how easily they can be addressed.”

The cost of correcting existing problems after a merger was the most frequently-cited concern about cybersecurity issues, nominated by half of respondents. This compared with 43 percent who were concerned about potential complications for post-merger integration; 37 percent worried about frequent or recent data breaches; 37 percent worried about threats to customer data; and 33 percent worried about threats to business data.

Respondents flagged a lack of cybersecurity staff as a key issue during M&A deals, with 32 percent saying not enough qualified staff had been involved in the due-diligence process during recent deals. This had often increased the cost of getting a newly acquired company up to speed, particularly since acquirers inherited both the infrastructure and the risks and potential penalties that would be incurred from an unforeseen security vulnerability.

“The abundance of new data security tools has made it easier to have cutting-edge technology in place,” the report noted. “But the way in which tools are used and relationships are managed remains paramount when it comes to maintaining sound cybersecurity.”

CSO

 

« Insider Trading: Ukrainian Hackers Accomplice Pleads Guilty
Bio-Electronics: A New Business Controlling Human Organs With Electronic Implants »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

MobileIron

MobileIron

MobileIron provides EMM capabilities to IT organizations that need to secure mobile devices, applications and content.

Texplained

Texplained

Texplained specializes in security audits of microchips to identify vulnerabilities and protect against invasive cyber attacks.

Learning Tree International

Learning Tree International

Learning Tree's comprehensive cyber security training curriculum includes specialised IT security training and general cyber security courses for all levels of your organisation including the C-suite.

Egyptian Supreme Cybersecurity Council (ESCC)

Egyptian Supreme Cybersecurity Council (ESCC)

ESCC is responsible for developing a national strategy to face and respond to the cyber threats and attacks and to oversee its implementation and update.

Mitre

Mitre

At Mitre we work across government to tackle challenges to the safety, stability, and well-being of our nation. Areas of expertise include Cybersecurity.

FirstPoint

FirstPoint

FirstPoint has developed the market’s most advanced solution for securing cellular devices, including mobile phones and IoT products, by blocking malicious data leakage.

National Cybersecurity Preparedness Consortium (NCPC) - USA

National Cybersecurity Preparedness Consortium (NCPC) - USA

The mission of the NCPC is to provide research-based, cybersecurity-related training, exercises and technical assistance to local jurisdictions, counties, states and the private sector.

CipherBlade

CipherBlade

CipherBlade specializes in blockchain forensics, data science and transaction tracking.

Xperience

Xperience

Xperience solves our clients’ toughest challenges by delivering business efficiency through digital transformation solutions across cloud, managed IT, CRM and ERP.

Cider Security

Cider Security

Cider Security - It’s time to revolutionize the way Security, Dev and DevOps teams work together to supercharge security at the speed of engineering.

Cyber Security Partners (CSP)

Cyber Security Partners (CSP)

Cyber Security Partners specialise in the provision of Cyber Security Consultancy, Data Protection and Certification and Compliance services.

Campus cyber

Campus cyber

A project initiated by the President of the Republic, the Cyber Campus is the totem site of cybersecurity that brings together the main national and international players in the field.

Bores Security Consultancy

Bores Security Consultancy

Bores Security Consultancy are an established family-run business delivering expertise in security and technology.

MiC Talent Solutions

MiC Talent Solutions

MiC Talent Solutions provides recruiting, direct hire, augmented staff, and professional service contracting solutions for organizations searching for minority cybersecurity talent.

Epic Machines

Epic Machines

Epic Machines is a Value Added Reseller and Managed Security Services provider offering Security Transformation using Cloud-native solutions to commercial and government markets.

Aardwolf Security

Aardwolf Security

Aardwolf Security specialise in penetration testing to the highest standards set out by OWASP. We ensure complete client satisfaction and aftercare.