In the world of business of today, and especially here in Corporate America, Merger and Acquisition activity (also known as “M &A”) is a key activity that is done on almost daily basis. Some buyouts are big and make the news, and while many others are much smaller and don’t attract the media. M & A activity can take place in any industry, but now we are seeing it take place more frequently the Cybersecurity Industry.
The prime driver for this is the innovation that is taking place. There are many new kinds of Security products and tools that are coming out, especially making use of AI and ML technologies embedded into them. So why reinvent the wheel and spend millions of dollars on trying to come out with a new product when you can just outright purchase and acquire the intellectual property of another company and simply rebrand that as your own?
While this might be a very tempting and “easy” route for the C-Suite to take, it can come with a price as well. For example, if there are any questionable Cybersecurity practices of the firm that is being acquired, it can have a drastic impact upon the complete valuation of the M & A deal. Take these as examples:
*Data breach disclosures by Yahoo back in 2017 caused resulted in a steep decline of in the sale price of Yahoo by $350 Million when it was acquired by Verizon;
*Just days after Starwood was acquired by Marriott, they announced a Security breach that caused the stock price of Marriott to decline by 5.6%. Because of that, Marriott now faces of up to $200 Million and possible even more.
So as one can see, making sure that the right Cybersecurity practices are in place for the company that is being acquired is an absolute must in order to not only ensure the proper valuation of the M & A deal, but also to make sure that it remains intact even after the fact. In this blog, we will look at some of the top ways an acquiring company take in order to make sure that there is at least some baseline “Cyber Hygiene” that is taking place at the company that is being acquired.
For example purposes, let us assume that Company X is the acquiring company and that Company Y is the company that is being acquired. The factors that need to be taken into consideration are illustrated in the diagram below:
*Make sure that you have the right teams in place:
When evaluating the Cybersecurity practices of Company Y, the CISO of Company X must take full and complete charge. He or she must assemble a team that has the capabilities to thoroughly inspect the level of Cyber Hygiene at Company Y. This team could be composed of different Cybersecurity specialists, such as Forensics Specialists, Threat Hunters, Penetration Testers, etc. What is important is to examine what Company Y has done to beef up their lines of defenses; if they ever have been a victim of a Cyberattack; and also, what steps have been taken to discover any unknown Security weaknesses and vulnerabilities. A real-world example of this is when ADP was examining the potential of acquiring another company called “WorkMarket”. Details of this kind of due diligence can be seen here at this link:
It is important that this type of engagement from Company takes place at the initial stages of the proposed M & A activity.
*Determine, at a macro level, level of Cyber Hygiene at the company to be acquired:
In this aspect, just simply examining the various Security tools and technologies at Company Y is not enough. In other words, the CISO and this team at Company X must take a “holistic” and unbiased approach as to what the entire Cybersecurity culture is like at Company Y. This means scrutinizing things from a qualitative level, such as examining the Security Policies, the level of both employee and management engagement, the Security Awareness Training programs that are transpiring at Company Y, etc. The CISO will also want to make sure that Company Y is in full compliance with all of the mandates and regulations that are out there, and if possible, they should even request a complete Cybersecurity Audit of Company Y in order to fully ascertain the risks that they could be exposed to from the threat landscape. This will all give an idea to Company X if they will be able to take on the level of Cyber Risk that Company Y brings to the deal.
*Formulate a deployable Cybersecurity Plan after the M & A activity as occurred:
In a way, M & A activity is like a marriage, in which two partners are coming together to form one complete unit. It is at this point of the union that Cybersecurity is absolutely critical, because you are now merging two IT/Network Infrastructures and the related IT Assets into one entity. It is at this point that the Cyberattacker will try to make their move, as there still could be some weaknesses and vulnerabilities that emerge because of this union. In this aspect, Cybersecurity experts point that it is essential to have a:
*100 Day Plan: During this time period, those IT Assets that have been classified as a high-risk potential should be monitored on a 24-hour basis in order to help ensure that they do not become of the target of a large scale Cyberattack;
*A 365 Day Plan: Activities here include making sure that there is now a new and highly enforced Security Policy put into place, as well as defining the roles and responsibilities for the new CISO/CIO, their IT Security Managers, and the respective IT Security teams after the M & A activity has transpired. It is also important to have a plan implemented at this point to have a Security Awareness Training program conducted on a regular time interval (at least once a quarter) for all of the new employees in order to bring them up to speed on the new Security Policies that have been implemented.
In other words, “Business leaders need to develop and follow an agile integration plan to securely integrate the people, processes and technology of the two organizations.” (SOURCE: https://www.weforum.org/agenda/2019/03/4-ways-to-cyberproof-your-business-during-m-a/).
*Keep maintaining high levels of Cyber Hygiene:
After your 365 Day Plan has expired, it doesn’t mean that maintaining a high caliber Security posture comes to end either. If anything, it this should be a top priority all of the time, and once again, although the CISO and his or her teams have responsibility for this, all of the employees need to partake in this. One can’t simply pass the buck on the IT Department to do all of this. It takes the work of all employees to make sure that their new organization does not fall prey to being a victim from a Cyberattacker. This means reviewing and updating the Security Policies as needed, rehearsing and practicing Incident Response and Disaster Recovery drills and even Penetration Testing exercises in order to make sure that the new business stays on top of the Cybersecurity Threat Landscape.
My thoughts on this?
I think the last time I was ever involved in studying the facets of M & A Activity was back when I took a required 600 level course in Finance when I was doing my MBA. But of course, back then Cybersecurity was not so much as an issue as it is now. Although I do read the financial headlines, it never occurred to me that Cybersecurity could have such a huge impact upon the valuation of an M & A deal.
When engaging in this kind of activity, and if the company is large enough (such as that of a Fortune 500 one), the C-Suite at of the acquiring company should always highly consider making use of a third-party accounting firm. They typically employ the people that are needed in order to conduct a thorough Cybersecurity Audit of the company that is to be acquired.
For a smaller to medium sized (for those that could probably not afford the services of a large-scale accounting firm), always consult with your business attorney first in order to determine the best way conduct your Cybersecurity due diligence if you are thinking of buying out another company.
But in the end, make sure that you always have a Cyber Insurance Policy – this is becoming almost as vital as health insurance today.