Due diligence for Mergers and Acquisitions through a cybersecurity lens

As businesses slowly start opening up and moving towards pre-COVID-19 growth levels, Mergers and Acquisitions (M&A) are also gradually reviving. As per the latest M&A trends survey conducted by Deloitte, 61 percent of US deal makers expect M&A activity to return to pre-COVID-19 levels within the next 12 months.[1]

Over the past few years, cybersecurity has started playing a bigger role in M&A. Several acquiring companies suffered hefty losses as they realized the target company’s past data breaches only after completing the final deal transactions. This, in turn, resulted in significant financial fines and reduction in the target company’s overall deal value that could have been avoided if cybersecurity due diligence had been conducted at the initial stage.

In the aftermath of COVID-19, this issue has compounded as M&A transactions depend on collaborative tools and technologies. The shift to remote working, coupled with an increase in data breaches and privacy/cybersecurity regulations across the globe, has shown that cybersecurity is imperative during the entire M&A lifecycle.

In this blog, we look at the due diligence process for M&A through a cybersecurity lens and understand its risks and associated challenges.

Understanding the cyber due diligence process

During an M&A transaction, the acquiring company conducts due diligence to better understand the target company’s operations such as finance, technology, HR, supply chain, marketing, and sales. Similarly, the acquiring company conducts cybersecurity due diligence to understand cybersecurity controls and potential risk areas in the target organization (including any subsidiaries and third-party vendors).

During the due diligence process, the following key cybersecurity-focused questions need to be asked:

How has the target organization done in the past in terms of cybersecurity, i.e. have there been any major security incidents, regulatory fines or data breaches?
What are the current security controls in place and how are they performing? Some specific risk areas to consider:

Security governance and management
Usage of open-source software for critical data processing
Cloud security risk (where data is on cloud)
Infrastructure risk
Intellectual Property (IP) and crown jewel security risk
Cyber resilience risk
HR-related risk
Compliance risk
Regulatory risk
Data privacy risk

Will the organization be able to respond to the evolving threat landscape in the future? If not, how much effort is required to enhance its security posture?

Getting an answer to these questions will help the buyer gain an insight into the potential risk areas and anticipate the amount of effort and cost required to fix security issues or make them compliant with the buyer’s security policies.

Challenges faced during the due diligence process

Conducting due diligence requires significant preparation, analysis, and research. Some challenges faced while performing the due diligence process include the following:

Lack of support from the target organization:

Getting timely support (in terms of access, documentation, and other details) from the target organization to conduct due diligence, is essential. The target organization is often hesitant to provide these details as it could reduce the value of the acquisition or derail the entire process.

Fast-paced deals:

In a high-value deal, the time to conduct a due diligence is often limited due to competition from multiple potential buyers.

Risk of the unknown:

Although buyers are expected to have conducted the target company’s in-depth analysis, they may be unaware of any past incidents or breaches.

Lack of documented evidence:

Although buyers are expected to have conducted the target company’s in-depth analysis, they may be unaware of any past incidents or breaches.

Permissions to perform external breach and log assessment:

There are several tools in the market that can identify potential or unidentified data breaches. However, a vast majority of organizations may restrict access to these tools due to confidentiality reasons.

Cybersecurity laws and regulations:

Organizations need to comply with numerous cybersecurity and data privacy laws and regulations, depending on their industry sector, geographical presence, and business type. This makes it challenging for the acquiring company to understand the requirement and its implication in the deal transaction.

Carve out acquisition:

In case the buyer is looking to purchase a portion (a few products, market, segment or business unit) of the target organization, the scope of due diligence needs to be defined and understood. Carve out risks (risk of dependencies on parent organization for cyber-related services) become significant in this situation.

Interest of the target:

A due diligence outcome depends on the target company’s interest to sell. The higher the interest, the more chances of the buyer getting a good understanding of the cyber posture. This will enable sound decision-making on the deal.

Use of technology:

The intensity of cyber due diligence depends on the use and adoption of technology in the target organization. Cybersecurity will be more relevant if technology has a dominant role in running and managing the organization and its business operations.

Future integration strategy and cost:

Understanding the integration strategy planned by the business, in case of an acquisition, helps in better decision-making and risk remediation. The cyber team will have a better view of the future and be better able to answer the question of whether the organization will be able to respond to the evolving threat landscape in the future? And if not, how much effort/cost is required to enhance the organization’s security posture to do so?

Identifying applicable privacy cybersecurity laws and regulations (such as PCI DSS, GDPR, and CCPA) is critical for due diligence. The buyer must get an assurance and related artefacts for compliance with regulatory requirements and applicable laws by the target organization.

What about after the due diligence – post acquisition

Due diligence is only the first step towards any acquisition. When the buyer decides to go ahead with the acquisition, a Seller-Purchase Agreement (SPA) is signed with the target organization. SPA agreements contain conditions that need to be adhered to, by the target company. Buyers can include any control requirements they would like the target organization to enforce for any high-risk area identified during the due diligence. After signing the SPA, the buyer needs to abide by certain regulatory approvals before finalizing the deal.

Finally, when the deal is closed and publicly announced, technology integration activities are planned and implemented. Most of the deals go through a transition period, wherein, the acquired company moves its technology operations to the buyer’s infrastructure. In certain cases, the technology operations of the acquired companies are kept separate and not integrated. These decisions are usually made by the business steering committee involved in the M&A process, keeping in mind strategic business objectives. However, cybersecurity needs to be embedded irrespective of the integration type. The cybersecurity team should evaluate risks at each stage of integration and manage them in co-ordination with the technology team(s).

Conclusion

Each due diligence exercise is different, and its intensity depends on the factors outlined in this blog. We cannot follow a one-size-fits-all approach. Therefore, pursuing each exercise differently, depending on the nature of the deal but also covering the necessary elements of cyber risk, is important for an effective diligence exercise.

References

https://www.forbes.com/sites/allbusiness/2020/04/17/impact-of-coronavirus-crisis-on-mergers-and-acquisitions/?sh=4a85dc1e200a

https://www2.deloitte.com/us/en/pages/mergers-and-acquisitions/articles/m-a-trends-report.html?id=us:2em:3cc:4dcom_share:5awa:6dcom:mergers_and_acquisitions