Cyber assessment should be ongoing during M&A process, not a point-in-time exercise.
Much like technology waves, we’ve seen a number of merger and acquisition (M&A) waves over the years, with spikes in the late 90s, followed by a fairly sharp drop in 2002, another spike in 2007, and a steady increase to present day.
But each wave faces a slightly different set of challenges and risks, and we’ve seen multiple examples of acquisitions gone wrong over the years. Take the Quaker Oats and Snapple example from 1994—Quaker overpaid and also failed to understand how the company was run and how to bring value-added skillsets to the table. Ultimately, Quaker sold Snapple for $300 million—a $1.4 billion loss. Or, take Sprint’s acquisition of Nextel Communications in 2005—a deal that promised product and service cross-selling. Yet, not long after the merger, swarms of Nextel execs and managers left the company on account of cultural differences and incompatibility. By 2008, the company had to write off $30 billion in one-time charges due to goodwill impairment. Clearly, there was a need for better evaluation to better understand the risks and ensure the success of these acquisitions.
There have been a number of challenges and risks in various acquisitions over the years. Yet as we turn to the most recent spike that we’re seeing in present day, we see a different type of risk. The others—financial, cultural, etc.—still exists, but there’s a new one that decision makers must consider: cyber risk.
Take the Verizon acquisition of Yahoo in 2017 as an example. Following Yahoo’s security breach disclosures, there was a $350 million acquisition price cut.
Forescout recently commissioned a survey of nearly 3,000 IT decision makers (ITDMs) and business decision makers (BDMs) to examine the growing concern of cyber risks and the importance of cyber assessment during M&A and determine how well companies are prepared to deal with cyber risk during M&A.
The research study, The Role of Cybersecurity in M&A Diligence uncovered a number of interesting insights into the current mindset of ITDMs and BDMs, as well as some of the areas of concern and opportunities for improvement during the due diligence process of an acquisition. On a positive note, we did find that organizations are placing more focus on a target’s cybersecurity posture than they did previously. Eighty-one percent of ITDMs and BDMs agree that they are putting more of a focus on a target’s cybersecurity posture than in the past, highlighting that cyber is a top priority for both IT and business decision makers.
At a glance, cyber is recognized by decision makers as something they need to pay attention to, because if they don’t, it could stop a deal in it’s tracks, or result in major financial losses or reputational damages down the road.
However, despite the recognition of due diligence as an important part of the evaluation process, the survey responses highlight that the point at which cyber assessment began during M&A varied significantly:
- 6% of respondents reported that integration—the last phase of an acquisition—was the point at which cyber assessments began.
- 22% reported that they started during due diligence.
- 33% reported they started during target screening.
- 38% reported that they started at strategy creation—the very beginning of the acquisition process.
Not only do these findings highlight very disparate views as to when cyber assessment should begin, but they also suggest that cyber assessment may be viewed by many as a point-in-time exercise. It is absolutely critical that the assessment of a target company’s cyber posture and the evaluation of potential vulnerabilities start from the very beginning of the M&A process and continue through integration and post-integration. It’s important to remember that even if the initial evaluation does not find any significant cyber risks, the target company will continue to operate—with current employees, customers, vendors and the connected world at large—throughout the M&A process. And, at any point, the target company’s assets and devices could become vulnerable. Apart from continuous evaluation, it can be very difficult to develop and maintain a comprehensive view of cyber risks.
Cyber assessments should be a major part of the acquisition evaluation process—not only at the point of integration, but throughout the entire acquisition. However, I want to be clear that any cyber evaluation, no matter how thorough, can only go so deep until the transaction is complete and the acquiring company has full access to the target company’s network, hardware, software, and other assets.
Given that, it’s never too early to start the due diligence process—to start questioning what risks your company would be willing to take on, as well as the risks that are just too great. Doing so will hopefully allow you to uncover as many risks as possible prior to the final transaction, but will also allow your company’s internal evaluation team to already have a list of specific areas to investigate.
It’s also important to remember that slow and steady wins the race. Time and time again I’ve seen companies complete an acquisition and jump into integration because they are in such a rush to take advantage of the new capabilities, customer base, or larger market. That’s sort of like buying a drone and attempting to fly it right out of the box without any training, or attempting to put together a piece of IKEA furniture without reading the instructions. There is substantial risk in simply pulling over the newly acquired company’s assets and infrastructure without fully evaluating what you’ve just acquired. A thorough investment may take time but will prove invaluable in the long-run.