Why Cybersecurity Is Critical for a Successful M&A
In its “Cybersecurity Is Critical to the M&A Due Diligence Process” research note, Gartner points out that the M&A process is complicated by the inability to integrate and manage the cybersecurity practices of both companies. As part of the due diligence process, the acquiring company needs to examine the cybersecurity history and policies of the organization that it wants to acquire very carefully, as illustrated by the takeover of Yahoo by Verizon.
On June 25, 2016 Verizon issued a press release stating that it was going to acquire Yahoo’s operating business for approximately $4.83 billion in cash. A few month later, on September 21, 2016 Verizon learned of a major data breach at Yahoo that affected at least 500 million Yahoo user accounts. According to Yahoo, the mined account information could have included names, email addresses, telephone numbers, dates of birth, hashed passwords, and even encrypted or unencrypted security questions and answers. As it turned out, all 3 billion Yahoo accounts were breached.
The Fallout of the Yahoo Breach
- Verizon lowered the purchase price to $4.48 billion
- Yahoo shares went down 2.57%
- The SEC fined Yahoo $35m for failing to disclose the data breach
- Verizon forked out $500m to mitigate the damage
- A US Senate panel grilled CEO Mayer regarding Yahoo’s security breaches
- CEO Marissa Mayer did not receive her annual bonus and lost out on stock options
The breach illustrates that an M&A also entails a number of cybersecurity risks that might not be known when the negotiations first started. That’s why after the Yahoo breach, the M&A due diligence process changed. In the old days, it focused on risk areas such as tax, employment and benefits, intellectual property protection, lawsuits, and contracts. With the rise of data breaches, cybersecurity due diligence has become an important part of it.
In a study commissioned by management consulting firm West Monroe Partners’ M&A practice, 100 senior global executives were surveyed:
- 80% of respondents said that cybersecurity issues have become highly important in the M&A due diligence process
- 52% of acquirers said they had discovered a cybersecurity problem at an acquisition after a deal went through
- 70% of respondents said compliance problems are one of the most common types of cybersecurity issues uncovered during due diligence, while 40% said a lack of comprehensive security architecture is also common
- The top three reasons that deals failed were: cybersecurity concerns (23%), financial and tax issues (23%), and problems with compliance (18%)
- 41% of respondents listed issues relating to cybersecurity as their main post-merger worry
The Scope of Cybersecurity Assessment During M&A due Diligence Should Include at Least the Following
Examining and understanding the security posture of the to acquire organization
- Reviewing the history of the organization’s vulnerability assessments and/or Penetration tests
- The compliance history and policy of the organization
As part of the due diligence, the security posture of an organization should be assessed during every step of the M&A process, including pre and post deal. To assist in this daunting process, it is recommended to use Cymulate’s Breach & Attach Simulation (BAS) platform. Its advanced technology allows for launching simulations of cyberattacks against the organization to be acquired, thus immediately exposing vulnerabilities and providing mitigation procedures to close each gap. Each assessment covers a number of security solution and controls.
With Cymulate’s end-to-end security posture assessment, the organization’s network defenses are tested to see how well it copes with pre and post exploitation attacks.
Accounting firms and other analysis organizations can use Cymulate’s BAS platform during the stages of its M&A process:
- Pre-closing: As part of M&A process, the accounting firm performs Cymulate assessments at the organization in question to verify its security posture;
- Evaluation phase: The accounting firm conducts regular periodical audits at the organization to verify that its Cymulate risk score has not changed;
- Ongoing: The accounting firm monitors the security framework of the organization with ongoing Cymulate assessments.
To learn more, test Cymulate for yourself with a 14-day free trial.