Corporate boards widely recognize due diligence as a critically important component of the M&A process, particularly when it comes to vetting financial numbers and legal obligations. The stakes are enormous: The value of worldwide mergers and acquisitions totaled $3.6 trillion in 2017, according to Thomson Reuters. Globally, M&A activity is increasing and could reach record highs in 2018.
Yet cybersecurity continues to be an oft-neglected part of M&A due diligence, despite heightened awareness of the existential risk that information security threats pose to companies – and deals of any kind. Not only can cybersecurity risks derail M&A deals, they can also be critical factors on whether the transaction is ultimately successful for shareholders, employees and stakeholders. In order to maintain a healthy M&A landscape, information security risk factors must be considered a top priority.
Today, there are many security ratings companies that can help with quantifying the external cyber security performance of potential acquisition targets from an overall organization or industry perspective, but these assessments don’t show what could happen if two networks are merged together. What’s happening inside the company is even more important. When organizations are looking at merging networks there area wide range of factors: If you are the acquiring company, you’ll want to make sure you’re not going to merge an unsafe network into a “clean one.”
One of the top questions to ask: Does the acquired network have significant risk, vulnerabilities, privileged users or people with stealthy administrative privileges? Compromised credentials alone were responsible for 81 percent of hacking related breaches last year, up from 50 percent in 2015. Anecdotally, we hear of cybersecurity concerns derailing M&A deals on a regular basis. In one of the most famous examples, Verizon sought a $925 million discount for its merger with Yahoo following revelations of the infamous Yahoo breach (they ended up getting a $350 million discount, resulting in a $4.48 billion total pricetag).
Key Considerations for Managing Cyber Risk Across Networks during M&A Transactions
Company leadership and financial institutions must prioritize cybersecurity posture for evaluating M&A risk. When looking to merge network environments, there are three key areas to prioritize.
1) Continuous and Holistic Visibility: Companies must be able to see, in real-time, a holistic view of Identity in the acquired network, whether cloud, on premise, or hybrid. There must be an understanding of normal, suspicious and risky user behavior: who is accessing what, when, where and with what device(s).
2) Proactive Risk Identification To conduct proper due diligence, companies must review areas of risk that can be proactively cleaned up, particularly weak passwords, stale accounts, and privileged users.
3) Real-Time Response: Once you are able to look at Identity, Behavior and Risk across all platforms and networks, an organization can then use it to respond in real time to preempt threats before impact and become more proactive with security while progressing through M&A integrations.
At Preempt, we’ve observed firsthand how cybersecurity posture can introduce tremendous consequences and uncertainty into M&A activity. In particular, we recently worked with a large financial services firm upon its acquisition of another leading financial services business. The acquisition presented an opportunity to provide a leading financial platform to customers, yet cyber risk factors posed critical threats to the execution of their strategy.
When looking to merge the two networks together, they lacked a view of the acquired company’s network, which included two directory infrastructures across seven domains and the users and accounts within it. This lack of visibility into users, privileged users and service accounts caused them to have an uneven security posture and poor understanding of their risk profile or exposure level.
After installing Preempt, they were able to gain robust insights with a unified view of all users and accounts across all platforms in the acquired company. This allowed them to understand who was accessing what, when, where and how along with greater visibility and control over all privileged users, service accounts and domain administrators.
This visibility enabled them to identify and clean up security issues, privileged accounts and domain admins prior to the integration. Preempt saved them significant time and resources by eliminating the all-too-common laborious manual process of gaining visibility into their network, all while ensuring they were able to reduce risk and protect the combined network infrastructure. Further, the Preempt platform enabled the company to put real-time controls on third party partners, supplies, vendors and other stakeholders to ensure that only valid users are able to access sensitive servers or applications.
Whether conducting M&A due diligence or merging networks following the transaction, it’s important to remember that companies’ information security risk factors can be just as consequential as their financial, legal and other business risks. Doing appropriate diligence on the cybersecurity risk and health of potential M&A targets is critical, as is following through on the deal with robust cybersecurity practices. Today’s business schools are looking at Yahoo and Verizon as one of the top case studies of how cyber risks can derail a deal: it may not be long before another botched M&A deal becomes the poster child for how cyber threats can destroy business and shareholder value.