Between the exponential growth of data volume and variety, the emergence of stringent privacy laws and an ever-changing digital threat landscape, cybersecurity has been thrust to the forefront of critical business decisions – including M&A strategies and valuations. Today, the due diligence phase of M&A (mergers and acquisitions) transactions must scrutinize a target’s cybersecurity posture to avoid the inheritance of unwanted vulnerabilities. However, rather than representing an additional compliance burden, incorporating dynamically-evolving cybersecurity automation techniques into this process can yield a distinct advantage – generating insights to mitigate risk and enrich decision-making.
Top Cybersecurity Issues in M&A: Regulatory Risk, Cost and Public Trust
The stakes are high at the intersection of cybersecurity and M&A. Regulatory and data privacy compliance issues, legal liabilities, deal value, a company’s ability to maintain confidence among partners and consumers, and the threat of cyber attacks must be considered.
The 2021 FTI Consulting Resilience Barometer® found that nearly one-third of companies across the G20 dealt with cyber-attacks over the past 12 months. Early-stage and pre-close acquisitions have also proven to be attractive targets for cyber-criminals. In recent years, cyber-attacks have resulted in the leak of unannounced transaction details and have taken advantage of broadened attack surfaces to exploit following organizational mergers. Malicious meddling in the M&A process at either of these stages wreaks havoc on financial markets, impacts shareholder value, heightens legal and compliance risk and threatens to derail both company reputations and the deals themselves. With M&A activity booming, teams are under tremendous pressure to evaluate the risk profiles around these transactions rigorously – and should look towards implementing automated workflows and technologies to conduct cyber due diligence.
How Cybersecurity Automation Supports Due Diligence
The automation technologies called upon to manage cybersecurity threats can also be utilized to inject speed, efficiency and standardization into the data due diligence process – vastly improving risk management across the M&A lifecycle.
Data-driven insights are key to diligence-related decisions, providing an unparalleled ability to analyze a combination of company data, open-source information and external intelligence. For example, having sight of existing and potential vulnerabilities is crucial in determining whether a deal may open the door to data breaches and cyber-attacks. Automation can also accelerate the data mapping of cybersecurity reports against frameworks to represent an organization’s overall privacy and cybersecurity position in a way that serves risk-based decision-making.
Additional ways automation can be used to support cybersecurity assessments for due diligence and risk mitigation include:
- Automatically flagging risks pre-deal: Optical character recognition and weighting mechanisms enable fast, automatic identification of sensitive information within PDFs, images and other visual files across a target company’s data universe. These insights can be used to flag risk areas pre-deal, as well as support data loss prevention measures.
- Finding hidden exposures: Digital footprinting can uncover risk areas that were previously unknown to either the target or acquiring party, such as instances of domain spoofing and brand hijacking.
- Understanding the scope and strength of existing data protection measures: Visual analytics measuring an organization’s existing security controls against its contracts, roster of external partners, stores of privacy-protected data and breach notification processes can help buyers understand the extent to which a target company is protecting its sensitive data. Valuation adjustments may need to be made based upon gaps in existing practices.
- Quickly analyzing key documents: Advanced search capabilities such as those used for complex e-discovery and investigations can be applied to review existing contracts and other documents to spotlight potential security risks. Analytics can also be used to manage and assess third-party risk across a vast number of vendors, and as an organization is only as resilient as its weakest third party, these analytics provide critical intelligence. Automated smart search functionalities can also help teams understand what truly exists in the datasets that will eventually be integrated into the business when the deal closes.
In addition to cybersecurity and privacy due diligence, these strategies also assist maturity assessments and internal investigations. The data points gleaned from a technology-driven cybersecurity maturity assessment, for example, can evolve into a living, adaptive dashboard that provides benchmarking against both the portfolio and industry.
Risk is at the heart of M&A. It is the assurance and resilience built around, and in response to, those risks that determine the field’s leaders. The same is true in cybersecurity; thus, merging these spaces through the automation technologies driving the due diligence process represents an exciting opportunity. With a target company’s cybersecurity posture fast becoming a deciding element of the risks and rewards associated with potential investments, thorough investigations of security hygiene must be a priority. It is through automation, however, that organizations engaging in M&A can achieve peace of mind – leveraging the power of technology, data and intelligence to manage deal risk and create the optimal conditions for success.
Laura Kippin Senior Director, FTI Consulting | Dave Harvey Managing Director, FTI Consulting
