When companies merge, acquire or are acquired, they’re exposed to a variety of threats during the transaction period, including ones that could potentially terminate the deal such as cybersecurity risks. Managing data breach and other cybersecurity risks must be a top priority for both acquired and acquiring companies to ensure the success of the transaction and the security of the transformed organization going forward.
Companies engaged in M&A activities should keep these critical cybersecurity considerations in mind:
1. Cybersecurity can affect sale price and terms.
During Verizon’s acquisition of Yahoo, the internet giant disclosed two massive data breaches that affected more than 1 billion user accounts. Consequently, Verizon cut $350 million off its offer, even though the companies had initially agreed on a sales price months before Yahoo disclosed the breaches. What’s more, publicized data breaches can lead to a drop in stock price and devaluation of the company.
The data breach preparedness and cybersecurity infrastructure of both companies should be closely evaluated during the due diligence process. A company with strong protections in place may be a more desirable M&A partner than one whose cybersecurity measures are lacking — and consequently take a position of strength during negotiations.
2. When you acquire a company, you don’t just get its business properties, you also acquire its cybersecurity — or lack thereof.
During a merger, companies acquire each other’s benefits and threats, including cybersecurity risks. It’s critical for companies to have a clear picture of each other’s cybersecurity position. How well has each prepared for a data breach response? Is cybersecurity a cultural priority throughout every level of the organization, or considered the responsibility of the IT department? What type of data does each company deal with, what are the risks associated with unlawful disclosure, and what security protocols are in place to protect it?
3. Cybercriminals read the business pages looking for opportunities.
Large financial deals make headlines and can attract the attention of cybercriminals seeking financial gain through corporate espionage. Since it’s not always possible to keep significant M&A deals out of the public eye, businesses involved in the transaction must assess the risks and protections of both companies.
4. You must be prepared to respond to a cyber incident during the transaction period and beyond.
Critical data and systems must be protected at every stage of the transaction, from initial negotiations to due diligence and integration. If cybersecurity has been a priority for both organizations prior to the transaction, incorporating strong security practices into the M&A process should be an organic transition for both. As a corollary, a merger or acquisition is a pivotal moment in the lives of both companies. Data breach response plans and cybersecurity practices will need to be reassessed and updated accordingly to ensure the ongoing security of the new entity.
5. Global regulations add a layer of complexity to cybersecurity for an international deal.
Around the world, regulators have begun paying closer attention to the evolving landscape of cybersecurity, and are implementing regulations to protect consumers from the impact of data breaches and other cybersecurity incidents. Companies engaged in a global merger or acquisition will need to ensure compliance with data breach notification regulations in every country in which the participating companies do business.
A final word
Research by the Ponemon Institute tells us 86 percent of companies already have a data breach response plan in place, but the existence of a plan is not enough on its own to ensure the security of companies amid M&A transactions. Companies involved in a merger or acquisition must have a clear picture of each other’s ability to manage cyber threats, and take steps to ensure the continued security of the new organization going forward.