As businesses slowly start opening up and moving towards pre-COVID-19 growth levels, Mergers and Acquisitions (M&A) are also gradually reviving. As per the latest M&A trends survey conducted by Deloitte, 61 percent of US deal makers expect M&A activity to return to pre-COVID-19 levels within the next 12 months.
Over the past few years, cybersecurity has started playing a bigger role in M&A. Several acquiring companies suffered hefty losses as they realised the target company’s past data breaches only after completing the final deal transactions. This, in turn, resulted in significant financial fines and reduction in the target company’s overall deal value that could have been avoided if cybersecurity due diligence had been conducted at the initial stage.
In the aftermath of COVID-19, this issue has compounded as M&A transactions depend on collaborative tools and technologies. The shift to remote working, coupled with an increase in data breaches and privacy/cybersecurity regulations across the globe, has shown that cybersecurity is imperative during the entire M&A life cycle.
In this blog, we look at the due diligence process for M&A through a cybersecurity lens and understand its risks and associated challenges.
During an M&A transaction, the acquiring company conducts due diligence to better understand the target company’s operations such as finance, technology, HR, supply chain, marketing, and sales. Similarly, the acquiring company conducts cybersecurity due diligence to understand cybersecurity controls and potential risk areas in the target organisation (including any subsidiaries and third-party vendors).
During the due diligence process, the following key cybersecurity-focussed questions need to be asked:
Will the organisation be able to respond to the evolving threat landscape in the future? If not, how much effort is required to enhance its security posture?
Getting an answer to these questions will help the buyer gain an insight into the potential risk areas and anticipate the amount of effort and cost required to fix security issues or make them compliant with the buyer’s security policies.
Conducting due diligence requires significant preparation, analysis and research. Some challenges faced while performing the due diligence process include the following:
Identifying applicable privacy cybersecurity laws and regulations (such as PCI DSS, GDPR, and CCPA) is critical for due diligence. The buyer must get an assurance and related artefacts for compliance with regulatory requirements and applicable laws by the target organisation.
Due diligence is only the first step towards any acquisition. When the buyer decides to go ahead with the acquisition, a Seller-Purchase Agreement (SPA) is signed with the target organisation. SPA agreements contain conditions that need to be adhered to, by the target company. Buyers can include any control requirements they would like the target organisation to enforce for any high-risk area identified during the due diligence. After signing the SPA, the buyer needs to abide by certain regulatory approvals before finalising the deal.
Finally, when the deal is closed and publicly announced, technology integration activities are planned and implemented. Most of the deals go through a transition period, wherein, the acquired company moves its technology operations to the buyer’s infrastructure. In certain cases, the technology operations of the acquired companies are kept separate and not integrated. These decisions are usually made by the business steering committee involved in the M&A process, keeping in mind strategic business objectives. However, cybersecurity needs to be embedded irrespective of the integration type. The cybersecurity team should evaluate risks at each stage of integration and manage them in co-ordination with the technology team(s).
Each due diligence exercise is different, and its intensity depends on the factors outlined in this blog. We cannot follow a one-size-fits-all approach. Therefore, pursuing each exercise differently, depending on the nature of the deal but also covering the necessary elements of cyber risk, is important for an effective diligence exercise.