Analyzing Cyber Risks in M&A Transactions
By Joey Masters, Commercial Risk Advisor
Acquiring a new entity inherently translates to adopting a fresh set of digital operations and cybersecurity risks. Data breaches and cyber vulnerabilities can certainly be a deal breaker in today’s M&A environment. It is essential for acquirers to gain a clear understanding of their target’s cyber risk profile. A holistic analysis of the target company’s cyber environment will help firms uncover cyber vulnerabilities, evaluate how cyber activity impacts value and mitigate risks to close the deal with peace of mind.
A cyber vulnerability assessment can help acquirers uncover risks they could inherit from an acquisition. It’s important to understand the threats your target is facing and the risk controls they currently have in place to determine areas of vulnerability.
Cybercriminals are becoming more adept at their craft each day. It’s vital to understand how external parties can infiltrate the target company’s cyber network. The most common tactic is social engineering. Through savvy email tricks, like impersonating executive leaders or financial personnel, cybercriminals can manipulate employees into granting them access to company networks. After the network has been compromised, cybercriminals can spread malware, ransomware and other malicious viruses to shut down a network or extract sensitive data to sell on the black market.
Current and former employees represent the top source of security incidents, over hackers and competitors. Taking a look at the company’s culture, employee engagement and turnover can give the acquirer a keen insight into potential internal threats.
Let’s not disregard vendors, contractors and organizations the target currently does business with. These relationships may present significant cyber liability to a firm’s fund if not assessed and treated properly. Third parties that handle sensitive data, personally identifiable information, protected health information, or payment/credit card information should be examined under the same scrutiny as the target company.
Once the threats have been assessed, an analysis of the target company’s current cyber risk controls will determine their security strengths, weaknesses and vulnerability gaps. Understanding how a company protects its data and intellectual property on the front end is mission critical. Some key questions to ask include, but certainly are not limited to:
- Are they utilizing enterprise awareness training to control social engineering?
- What kind of data are they storing and how?
- Does the company handle Personally Identifiable Information (PII) or Protected Health Information (PHI)? If so, what safeguards are in place to protect it?
- On what basis does the company grant access to its users? Are they using multifactor authentication?
Evaluating a target’s true value is an essential part of any M&A transaction. As cyber events and integration issues come into focus, the costs associated with each can lead to drastic changes in a target’s true value. A cyber assessment may uncover an existing breach that requires significant costs to adequately recover. In addition, you may realize deal value should be less because of the necessary investment in cybersecurity resources.
It is paramount to obtain and understand the details of any historical data breaches or significant cyber events that have impacted your target. On average, US companies identify they’ve been hacked 200 days after a breach. It’s not uncommon for a significant threat to surface only after the deal has concluded. Thus, it’s critical to verify the target company’s contractual obligations before closing!
Synergy and Implementation
Confidence in prevailing controls is key. However, determining how these controls will integrate into the target company’s systems and protocols should not be overlooked. Aligning cyber capabilities can be extremely costly which could significantly decrease the value of a deal. Navigating cyber integration through a transition service agreement (TSA) is ideal, as it would contractually obligate the target to provide infrastructure support after the transaction closes.
Mitigating risks and gaining confidence in the target’s systems will allow you to close the deal with peace of mind.
Establishing a relationship with a cybersecurity firm can be advantageous for frequent acquirers. Rather than relying on target-provided data, obtaining a third-party security assessment will equip you with an unbiased analysis of the target’s cyber risk profile.
Identify, Quantify and Indemnify
Once the issues are identified, your solutions must be quantified and worked back into the deal. This presents a grand opportunity for the acquirer to shift responsibility back to the seller or request that a portion of the seller’s proceeds is dedicated to remediation efforts.
The frequency and extent of high-profile cyberattacks reported by the media demonstrate the inherent cyber risks all organizations face. Implementing a cyber risk analysis in the due diligence phase of an acquisition is critical for understanding a target company’s cyber risk profile. Consult a BKS commercial risk advisor to help you identify, analyze and treat the risks associated with your next M&A transaction.