Due diligence for Mergers and Acquisitions through a cybersecurity lens
As businesses slowly start opening up and moving towards pre-COVID-19 growth levels, Mergers and Acquisitions (M&A) are also gradually reviving. As per the latest M&A trends survey conducted by Deloitte, 61 percent of US deal makers expect M&A activity to return to pre-COVID-19 levels within the next 12 months.[1]
Over the past few years, cybersecurity has started playing a bigger role in M&A. Several acquiring companies suffered hefty losses as they realized the target company’s past data breaches only after completing the final deal transactions. This, in turn, resulted in significant financial fines and reduction in the target company’s overall deal value that could have been avoided if cybersecurity due diligence had been conducted at the initial stage.
In the aftermath of COVID-19, this issue has compounded as M&A transactions depend on collaborative tools and technologies. The shift to remote working, coupled with an increase in data breaches and privacy/cybersecurity regulations across the globe, has shown that cybersecurity is imperative during the entire M&A lifecycle.
In this blog, we look at the due diligence process for M&A through a cybersecurity lens and understand its risks and associated challenges.
Understanding the cyber due diligence process
During an M&A transaction, the acquiring company conducts due diligence to better understand the target company’s operations such as finance, technology, HR, supply chain, marketing, and sales. Similarly, the acquiring company conducts cybersecurity due diligence to understand cybersecurity controls and potential risk areas in the target organization (including any subsidiaries and third-party vendors).
During the due diligence process, the following key cybersecurity-focused questions need to be asked:
- How has the target organization done in the past in terms of cybersecurity, i.e. have there been any major security incidents, regulatory fines or data breaches?
- What are the current security controls in place and how are they performing? Some specific risk areas to consider:
- Security governance and management
- Usage of open-source software for critical data processing
- Cloud security risk (where data is on cloud)
- Infrastructure risk
- Intellectual Property (IP) and crown jewel security risk
- Cyber resilience risk
- HR-related risk
- Compliance risk
- Regulatory risk
- Data privacy risk
Will the organization be able to respond to the evolving threat landscape in the future? If not, how much effort is required to enhance its security posture?
Getting an answer to these questions will help the buyer gain an insight into the potential risk areas and anticipate the amount of effort and cost required to fix security issues or make them compliant with the buyer’s security policies.
Challenges faced during the due diligence process
Conducting due diligence requires significant preparation, analysis, and research. Some challenges faced while performing the due diligence process include the following:
Identifying applicable privacy cybersecurity laws and regulations (such as PCI DSS, GDPR, and CCPA) is critical for due diligence. The buyer must get an assurance and related artefacts for compliance with regulatory requirements and applicable laws by the target organization.
What about after the due diligence – post acquisition
Due diligence is only the first step towards any acquisition. When the buyer decides to go ahead with the acquisition, a Seller-Purchase Agreement (SPA) is signed with the target organization. SPA agreements contain conditions that need to be adhered to, by the target company. Buyers can include any control requirements they would like the target organization to enforce for any high-risk area identified during the due diligence. After signing the SPA, the buyer needs to abide by certain regulatory approvals before finalizing the deal.
Finally, when the deal is closed and publicly announced, technology integration activities are planned and implemented. Most of the deals go through a transition period, wherein, the acquired company moves its technology operations to the buyer’s infrastructure. In certain cases, the technology operations of the acquired companies are kept separate and not integrated. These decisions are usually made by the business steering committee involved in the M&A process, keeping in mind strategic business objectives. However, cybersecurity needs to be embedded irrespective of the integration type. The cybersecurity team should evaluate risks at each stage of integration and manage them in co-ordination with the technology team(s).
Conclusion
Each due diligence exercise is different, and its intensity depends on the factors outlined in this blog. We cannot follow a one-size-fits-all approach. Therefore, pursuing each exercise differently, depending on the nature of the deal but also covering the necessary elements of cyber risk, is important for an effective diligence exercise.
References
https://www2.deloitte.com/us/en/pages/mergers-and-acquisitions/articles/m-a-trends-report.html?id=us:2em:3cc:4dcom_share:5awa:6dcom:mergers_and_acquisitions
