Why Cybersecurity Is Critical for a Successful M&A
In its “Cybersecurity Is Critical to the M&A Due Diligence Process” research note, Gartner points out that the M&A process is complicated by the inability to integrate and manage the cybersecurity practices of both companies. As part of the due diligence process, the acquiring company needs to examine the cybersecurity history and policies of the organization that it wants to acquire very carefully, as illustrated by the takeover of Yahoo by Verizon.
On June 25, 2016 Verizon issued apress releasestating that it was going to acquire Yahoo’s operating business for approximately $4.83 billion in cash. A few month later, on September 21, 2016Verizon learned of a major data breach at Yahoothat affected at least 500 million Yahoo user accounts.According to Yahoo, the mined account information could have included names, email addresses, telephone numbers, dates of birth, hashed passwords, and even encrypted or unencrypted security questions and answers. As it turned out, all 3 billion Yahoo accounts were breached.
The fallout of the Yahoo breach:
Verizon lowered the purchase price to $4.48 billion
A US Senate panel grilled CEO Mayer regarding Yahoo’s security breaches
CEO Marissa Mayer did not receive her annual bonus and lost out on stock options
The breach illustrates that an M&A also entails a number of cybersecurity risks that might not be known when the negotiations first started. That’s why after the Yahoo breach, the M&A due diligence process changed. In the old days, it focused on risk areas such as tax, employment and benefits, intellectual property protection, lawsuits, and contracts. With the rise of data breaches, cybersecurity due diligence has become an important part of it.
80% of respondents said that cybersecurity issues have become highly important in the M&A due diligence process
52% of acquirers said they had discovered a cybersecurity problem at an acquisition after a deal went through
70% of respondents said compliance problems are one of the most common types of cybersecurity issues uncovered during due diligence, while 40% said a lack of comprehensive security architecture is also common
The top three reasons that deals failed were: cybersecurity concerns (23%), financial and tax issues (23%), and problems with compliance (18%)
41% of respondents listed issues relating to cybersecurity as their main post-merger worry
The scope of cybersecurity assessment during M&A due diligence should include at least the following:
Examining and understanding the security posture of the to acquire organization
Reviewing the history of the organization’s vulnerability assessments and/or Penetration tests
The compliance history and policy of the organization
As part of the due diligence, the security posture of an organization should be assessed during every step of the M&A process, including pre and post deal. To assist in this daunting process, it is recommended to use Cymulate’sBreach & Attach Simulation (BAS) platform. Its advanced technology allows for launching simulations of cyberattacks against the organization to be acquired, thus immediately exposing vulnerabilities and providing mitigation procedures to close each gap. Each assessment covers a number of security solution and controls.
With Cymulate’s end-to-end security posture assessment, the organization’s network defenses are tested to see how well it copes with pre and post exploitation attacks.
Accounting firms and other analysis organizations can use Cymulate’s BAS platform during the stages of its M&A process:
Pre-closing: As part of M&A process, the accounting firm performs Cymulate assessments at the organization in question to verify its security posture;
Evaluation phase: The accounting firm conducts regular periodical audits at the organization to verify that its Cymulate risk score has not changed;
Ongoing: The accounting firm monitors the security framework of the organization with ongoing Cymulate assessments.
To learn more, contact Cymulate at email@example.com. You can also test it out yourself by requestinga free trial.