Cybersecurity Risks, A Growing Concern To M&A Deals

Cybersecurity issues are increasingly becoming a concern in mergers and acquisitions, a new survey shows.

Forescout recently commissioned a survey of nearly 3,000 IT and business decision makers across United States, France, United Kingdom, Germany, Australia, Singapore and India to examine the importance of cyber assessment during M&A and determine how well companies are prepared to deal with cyber risk during M&A.

The research study, The Role of Cybersecurity in M&A Diligence uncovered a number of interesting insights into the current mindset of CXOs, as well as some of the areas of concern and opportunities for improvement during the due diligence process of an acquisition.

On a positive note, the study finds that organizations are placing more focus on a target’s cybersecurity posture than they did previously. 

Cybersecurity – a key concern during M&A

Over half (50%) of the respondent report their organization has encountered a critical cybersecurity issue or incident during an M&A deal that put the deal into jeopardy. Take the Verizon acquisition of Yahoo in 2017 as an example. Following Yahoo’s security breach disclosures, there was a $350 million acquisition price cut.

Cybersecurity concerns discovered after consummation of the deal often present costly risks that would have been factored into the deal negotiations and/or may have led to the dissolution of the deal. After closing the acquisition, 65% experienced buyers’ remorse, regretting the deal due to cybersecurity concerns.

“M&A activity can be a game-changing moment in a company’s history, but recent breaches shine the spotlight on cybersecurity issues and make one thing abundantly clear: you don’t just acquire a company, but you also acquire its cybersecurity posture and a potential Trojan horse,” said Julie Cullivan, chief technology and people officer, Forescout.

“Cybersecurity assessments need to play a greater role in M&A due diligence to avoid ‘buying a breach.’ It’s nearly impossible to assess every asset before signing a deal, but it’s important to perform cyber due diligence prior to the acquisition and continually throughout the integration process.”

Eighty-one percent of CXOs agree that they are putting more of a focus on a target’s cybersecurity posture than in the past, highlighting that cyber is a top priority for both IT and business decision makers.

CXOs paying greater attention

At a glance, cybersecurity threats is recognized by decision makers as something they need to pay attention to, because if they don’t, it could stop a deal in its tracks, or result in major financial losses or reputational damages down the road.

The study also notes that cyber assessments should be a major part of the acquisition evaluation process—not only at the point of integration, but throughout the entire acquisition.

Cullivan stated that any cyber evaluation, no matter how thorough, can only go so deep until the transaction is complete and the acquiring company has full access to the target company’s network, hardware, software, and other assets.

According to her, “It’s also important to remember that slow and steady wins the race. Time and time again I’ve seen companies complete an acquisition and jump into integration because they are in such a rush to take advantage of the new capabilities, customer base, or larger market.”

She concluded that a thorough investment may take time but will prove invaluable in the long-run.