Cyber risk remains a top concern for modern CEOs who see it as a potential disruptor to their business in the next 12 months. This becomes particularly significant given the global anticipation of an M&A rebound this year: dealmakers would not want to risk their long-awaited strategic moves due to the poor cybersecurity posture of a target. 

In this article, we focus on the role of M&A cybersecurity during due diligence, explain how cyber risk assessment can impact the valuation and negotiation process, and explore where cybersecurity risks intersect with other M&A risks.

The role of cybersecurity in M&A

According to Gartner, 62% of IT and business leaders believe that their companies face substantial cybersecurity risks when acquiring new businesses, with cyber risk being their primary concern among other post-merger challenges.
The role of cybersecurity in mergers and acquisitions indeed shouldn’t be underestimated. Failing to identify and address security problems and risks in M&A in the early stages of a deal can lead to serious financial and reputational consequences for both the acquiring and target companies. Here are a few cases:

1.
TalkTalk data breach

TalkTalk, a U.K.-based telecom company, faced a £400,000 fine after a cyber threat actor accessed a customer database it acquired, resulting in a significant data breach.

2.
Verizon’s acquisition of Yahoo

The valuation of Verizon’s acquisition of Yahoo’s internet business dropped by $350 million following Yahoo’s disclosure of three major data breaches compromising over one billion customer accounts.

3.
Marriott’s acquisition of Starwood Hotels

A massive data breach in Starwood’s reservation system exposed nearly 400 million guest records and resulted in a $123 million GDPR fine for Marriott due to inadequate data privacy measures during the acquisition process.

In mergers and acquisitions, the focus has traditionally been on areas like finance, legal, and operations, with cybersecurity due diligence often overlooked. However, it’s becoming increasingly clear that organizations considering M&A transactions could benefit from a more dedicated security vulnerability assessment. 

CEOs and M&A decision-makers must approach the question of cybersecurity proactively, as a potential data breach can pose a substantial threat to critical business assets, such as intellectual property or customer information.

This risk assessment shouldn’t be a one-time event but rather an ongoing process. That’s why it’s crucial to assess acquisition risks before integration. It’ll help organizations mitigate potential cyber incidents.

Cybersecurity due diligence in the M&A process

About 60% of companies involved in M&A activity consider cybersecurity posture a crucial factor in the due diligence process.

Let’s explore the key components that should be included in mergers and acquisitions cybersecurity due diligence. They will help uncover any security issues and liabilities, assess the costs for remediation, and minimize business disruptions:

  • Data security and regulatory compliance 

Conduct a comprehensive security audit and assess the target company’s compliance standards with data security and privacy regulations such as GDPR, CCPA, HIPAA, etc. Review data protection policies and procedures to identify any gaps or non-compliance issues.

  • Cybersecurity infrastructure

Evaluate the effectiveness of the target company’s cybersecurity infrastructure, including firewalls, intrusion detection/prevention systems, encryption methods, managed security services, and access controls. Identify any weaknesses or vulnerabilities that could be exploited by cyberattacks.

  • Incident response and recovery capabilities

Review the target’s incident response plan and procedures to assess their readiness to detect, respond to, and recover from cybersecurity incidents. Evaluate the effectiveness of their incident detection and response capabilities, including monitoring tools and protocols.

  • Third-party and vendor risk management

Evaluate the target firm’s relationships with third-party vendors and assess the cybersecurity concerns associated with these partnerships. Review vendor contracts, security assessments, and incident response plans to identify potential vulnerabilities and dependencies.

  • Employee training and awareness

Assess the target’s cybersecurity training and awareness programs to ensure that employees are educated about cybersecurity best practices and aware of cybercrime within the evolving threat landscape. Evaluate the effectiveness of these programs in reducing human error and mitigating insider threats.

  • IT systems integration risks

Evaluate the potential cybersecurity risks associated with integrating the target’s technology systems and infrastructure with those of the buyer. Ensure secure data migration. Identify any compatibility issues, security gaps, or vulnerabilities that could arise during the integration process.

Impact of cybersecurity on valuation and negotiations

Cybersecurity due diligence findings or hidden cybersecurity issues that prove a target’s poor cybersecurity posture can immensely impact the deal valuation and the negotiation process. 

We discuss the possible effects below. 

Purchase price reduction 

If a cybersecurity team of an acquiring company finds out that the cybersecurity processes of a target company have certain vulnerabilities, this can be reflected in the purchase price. In this case, the potential costs for addressing identified issues, such as system upgrades, hiring security experts, or implementing new protocols, might be factored into a purchase price. 

There are two common ways in which purchase price can be impacted:

  • Direct costs

Suppose the buyer’s M&A security due diligence team discovers the target has outdated security infrastructure. In that case, it may reduce the purchase price to account for the investment required to bring systems up to standard.

  • Liabilities and potential fines

Suppose a due diligence team reveals that a target company’s security teams provide services that are non-compliant with certain data protection regulations, such as HIPAA or GDPR. In that case, the buyer might adjust the purchase price to mitigate potential future liabilities.

Future earnings adjustments

If an acquiring company discovers certain cyber risks post-acquisition, it can necessitate adjustments in future earnings projections.  This is because a buyer might face unexpected expenses related to the improvement of current security measures network, legal liabilities, or recovery from data breaches, which can all detract from the anticipated financial performance. 

This is how future earnings adjustments can be reflected:

  • Revenue impact

A company’s future earnings might be adjusted if cybersecurity issues are likely to affect customer trust and, as a result, revenue. For instance, if a breach becomes public, it can lead to a loss of clients or contracts, reducing the company’s future revenue projections.

  • Operational disruptions

The potential risks of operational disruptions due to cybersecurity attacks (for example, ransomware) can affect a company’s valuation. If a target company’s operations are vulnerable to cyberattacks, this risk can lead to an adjustment in the expected cash flows, thereby lowering the overall valuation.

Revision of negotiation terms

The disclosure of certain cybersecurity vulnerabilities can lead to the two companies revising the deal’s negotiation terms. This includes renegotiating certain aspects to protect the buyer from potential losses or liabilities related to undisclosed cybersecurity issues.

Additional read: Learn more about the difference between the buy-side vs. sell-side of M&A in our dedicated article. 

The most common items of the negotiation process that are impacted by the cybersecurity risks disclosure are the following:

  • Escrow and holdbacks

To mitigate risks, part of the purchase price might be held in escrow or subject to holdbacks, depending on the resolution of identified cybersecurity issues.

  • Representations and warranties

Buyers may require sellers to provide warranties against future cyber incidents or breaches that occurred before the acquisition. For instance, this can include warranties that the company complies with relevant cybersecurity regulations and standards.

Brand and reputation damage

Disclosed cybersecurity issues can harm the brand and reputation of the acquired company, and potentially the acquiring company as well. This damage can lead to a loss of customer trust and loyalty, negatively affecting market position and revenue, and may require significant effort and resources to rebuild.

Among the ways of how cybersecurity issues can affect the organization’s reputation are the following:

  • Public perception

A company’s reputation regarding cybersecurity can influence its market value. Companies known for strong cybersecurity practices may enjoy a premium valuation, while those with poor records may face discounts.

  • Customer trust

Disclosure of certain cybersecurity problems may also undermine the level of trust customers have in a company’s ability of their data protection in the mergers and acquisitions process. As a result, this can significantly affect customer retention and acquisition, directly impacting revenue and valuation.

Comparing cybersecurity risks with other M&A due diligence factors

Now, let’s briefly review how M&A cybersecurity concerns are similar and different from other types of risks in mergers and acquisitions, and find out whether they intersect.

cybersecurity risks during M&A due diligence

As seen from the table, cybersecurity risks are often either the reason for other M&A risks or their result. This only highlights the importance of timely and accurately addressing cybersecurity for M&A success.

Key takeaways

  • Poor cybersecurity practices in M&A can lead to significant financial losses and reputational damage for both parties involved.
  • Cybersecurity due diligence should include the assessment of data security, compliance, cybersecurity infrastructure, incident response, recovery capabilities, third-party and vendor risk management, employee training and awareness, and IT systems integration risks. 
  • The main effects of cybersecurity issues on valuation and negotiation processes are the reduction of purchase price, future earning adjustments, revision of negotiation terms, and reputational damage.
  • Cybersecurity issues during M&A can also be a reason or result for other M&A risks, such as financial, operational, legal, and strategic.

High-speed digital transformation came with a heavy weight on cybersecurity.

The perfect conditions for attacks date back to the beginning of the pandemic, with companies having to expand access to their previously internal systems. Added to this is the ever-rising volume of customers’ data, which cyber-criminals use as a weapon to threaten companies’ reputations.

To clarify the leading causes of current attacks, key factors influencing risk, and the strategic approach to today’s data privacy challenges, we interviewed Márcia Tosta.

What is the major impact of cyber crimes and leakages on companies?

Márcia Tosta:

Cyber crimes have a series of direct and indirect costs for companies because of the damage they can cause to their reputation and the consequential loss of interest in their products and services. Among these costs are the loss of financial assets, a fall in the value of shares, loss of intellectual property, legal sues as a result of the violation of confidential information, and those related to supply chain trust contract breach – by both the inability to pay and the loss of credibility.

There is also the increased cost of cyber insurance, which is calculated on top of the risk and raises exponentially when a cybercrime happens. Executives must bear the fines and penalties for failing to comply with current legislation requirements, in particular, the General Data Protection Law (GDPL), due to the leakage or misuse of customers’ sensitive personal data, employees, and partners.

What are the key factors behind cyber attacks?

Márcia Tosta:

Companies of all sectors and sizes are undergoing an intense digital transformation, fueled by the pandemic, which has led them to make available a series of new digital products and services, based on the adoption of new technologies, such as 5G, for example, which has made remote working possible by guaranteeing higher quality and speed of connections. 

In other words, today, we have a new way of working and behaving virtually. In this scenario, companies have had to provide access to critical systems outside their security perimeter, migrating to the cloud to be more productive and efficient. 

Many applications were not prepared for exposure to the whole internet and had vulnerabilities and less robust source code, especially because they were developed to be used within the company’s infrastructure. Therefore, more efforts and investments must be made in IT and security to validate identities and establish access policies for all applications. 

Unfortunately, the speed of these efforts often lags behind the needs of administrative and business fields, generating more vulnerabilities and increasing the risks of leakages or intrusions. At the same time, criminals have discovered that digital crimes are highly profitable as they can be carried out remotely, stealing data and kidnapping for ransom.

Other aspects to consider are:

  1. The obsolescence of equipment and technological platforms in banks and other large industries, as the old hardware does not support the software updates necessary to guarantee security, as they do not evolve at the same speed.
  2. We are all in the cloud today generates a series of gaps that can be exploited, mainly because criminals have discovered the high profitability of digital crimes, such as theft and data encryption so they can demand a  ransom.
  3. The high turnover of security professionals caused by high market demand, which also generates costs, as each time skills migrate to competitors or foreign companies, it is necessary to train and educate new team professionals.

What are the main cyber attacks in the last two years?

Márcia Tosta:

Currently, the main form of cybercrime is ransomware, kidnapping data and demanding a ransom for its return. It can start with a phishing attack, meaning the use of tricks to steal or obtain victims’ personal information, such as passwords, bank details, credit card numbers, among other important data or it is done by spear phishing a targeted email scam aimed at gaining unauthorized access to confidential data. 

Cybercrimes can target individuals but are also very common to occur against companies because when the attacker accesses intelligence, confidential and especially personal data, they ask for a ransom to return the data so that the company can avoid fines and reputational damage. For example, if the penalty for a General Data Protection Law violation would be BRL 50,000, they would ask for a ransom of BRL 20,000.

To prevent these cyberattacks from occurring, it is essential that organizations identify and protect themselves against possible vulnerabilities. They must design very well-structured and detailed policies and processes to carry out updates, preventing intrusions or leakages during the update period.

Are Brazilian companies prepared to detect, respond and recover from attacks?

Márcia Tosta:

In Brazil, there is still very little sharing of intelligence and best practices against threats. Many companies still don’t take sufficient care with their vulnerability management programs, with corrections and constant application updates in terms of code or infrastructure. 

In addition, few companies adopt market frameworks that would improve the overall detection and response processes. There are now frameworks that help to detect, identify and react to attacks, which need to be adopted in practice as soon as possible, as information security requires constant improvement. This is because attacks occur against all companies, regardless of their size or sector, and the greater the profitability that can be generated by data theft, the greater the chance that cybercriminals will act, with the exchange of knowledge and practices being our best weapon against the spread of this type of crime.

How important is GDPR?

Márcia Tosta:

The General Data Protection Law introduces a unified regulatory language to identify and process all privacy risks. Today, not considering the protection of personal data can have relevant impacts on companies through penalties and reputational losses. It is an excellent law because previously, the data was used in a very banal way. 

In summary, the law meets market demand, but it needs to be increasingly understood and applied to companies’ businesses, as it regulates data management processes not only for the protection of companies but particularly for data subjects. Its entry into force requires companies to be diligent about ensuring the trust of their customers and respecting consumer rights. Therefore, companies are now being more careful in defining the essential data they need to collect for their core business; they pay attention to its safe storage, treatment, and analysis, which is beneficial for the business as a whole.

What were the main initiatives to promote LGDP?

Márcia Tosta:

National companies are adapting to the requirements of the General Data Protection Law, as it is an innovative regulation and requires attention to all stages of data management. We are learning from the legislation on a day-to-day basis. And contrary to what many companies think, it’s not just about hiring a DPO, having a channel for customer queries, and obtaining consent to hold data. 

It is necessary to know how the data is collected and stored and for what purposes to guarantee its suitability and security in all its processes. Therefore, good privacy practices need to go hand in hand with cybersecurity practices, as only those who need it should have access to data, and the market still has some way to achieve this.

The company size does not determine risks, as these have grown for all because the access and adoption of new technologies have also increased, with greater exposure to crime. For this reason, I advise everyone to adopt three basic principles:

  • Constant training of people
  • Analysis and frequent review of processes
  • Updating and evaluating technologies 

The more people know and understand risks, the more efficient the adoption of the security culture. Recognizing cyber risk as part of the business and being diligent and proactive in mitigating such risks is essential. It is also necessary to involve senior management in all information security and data privacy steps.

Which sectors are most impacted by cyber and privacy risks?

Márcia Tosta:

Cyber risks involve all types of companies, especially businesses, as data breaches or theft can block operations. These risks can impact companies from all sectors. Still, I would highlight those that deal with a large volume of data, incredibly personal and sensitive data in their core business, such as those in the financial, telecommunications, energy, retail, pharmaceutical, and health sectors.

What are your recommendations for preventing or mitigating attacks?

Márcia Tosta:

It is necessary to have visibility of the entire computing environment of an enterprise, to know the technologies and systems used, the processes, and access points. 

That includes in-depth control of the users’ systems and extensive knowledge of the technology architecture to implement several layers of protection to compose the defense.

The companies that are better responding to today’s challenges are those constantly improving and extracting the maximum from the investments made. It is essential to train the technical personnel, businesses, and senior management continuously to apply the necessary protection measures to safeguard, in particular, their digital identities, which offer criminals an opening to attack.

The necessity and the ideal approach to implement best practices in cybersecurity and data protection were at the core of the recently promoted event by the M&A Community. 

At the time, four experts from different corporations spoke on ways to strengthen information security, data protection, and governance, to avoid cyber crimes and frauds, which have grown exponentially in the last years. 

The renowned specialists also addressed corporate capacity to detect, respond, and recover from such occurrences. They provided tips on avoiding mistakes and making the proper data protection and privacy decisions. 

Why are companies more sensitive to cyber-attacks today, and what are the main risks?

With the world’s digitalization and higher dependence on technological asset transactions, the volume and sophistication of cyberattacks have also grown significantly. “The pandemic accelerated the digital transformation of businesses, which are increasingly more tied to digital technology and information to produce wealth today. Thus, companies became more sensitive to the damages caused to digital assets, and the result is that there was, simultaneously, an escalation of volumes of crimes committed by organized groups, which has demanded more investments and attention from companies to fight these violations and mitigate the risks generated”, states Marcos Sêmola.

With broad experience in the fight against risks and fraud, Alexandre Ibrahim, emphasized that, though the Central Bank and Basel Accords highly regulate the financial sector, it has also felt the impacts of this new reality. “We seek to follow a framework, with mapping of all risks, which includes processes of identification and assessment of each risk to measure management needs,” he says. According to him, it is evident that there are risks to which it is hard to find quantifiable KPIs (Key Performance Indicator). Still, today there are criteria that enable measuring operational and reputational risks per product and per area to estimate effective or practical losses in each occurrence.  

Sêmola complemented by stating that today’s challenge is multifaceted, with different types of risks and specificities that facilitate or hinder their detection, classification, follow-up, and response. “These characteristics make it even harder for risk and cybersecurity managers to present to administrative councils the impacts of these risks, in the short, medium, and long term, for them to understand and make suitable decisions to mitigate their effects in the management of companies,” explains the E&Y partner.

What are the challenges to informing administrative councils of the risks that impact or may come to impact the company’s business and help them in decision making?   

For Márcia Tosta, the information security work must be advisory and drive the business, not only make it feasible. Therefore, it is an area that must understand the company’s business, its future expectations, and its risk appetite. “The big challenge when a security professional joins a company that does not have security as a core business, as in the case of Petrobras, is to show the relevance of security to the business, its consistency, and continuity. That is, learn to speak the language of the company board so that they can see security as an aggregating factor for the business,” says the Petrobras CISO.

Security areas must be well structured in the company and go hand in hand with the other areas of the company, including in all conceptions and prospects. “This is fundamental because costs become very high if the concept of Security by Design is not adopted, which includes security at the start of all projects. After all, correcting conceptual or architectural security mistakes with projects in the process is much more complicated and expensive,” explained Márcia.

In a scenario of major digital transformations, where new technologies emerge all the time, and new vulnerabilities are constantly found, the company must always be updating and adapting its internal processes. It means that companies must operate to avoid being plastered in operation or creation of new businesses, but, at the same time, keep an efficient security ecosystem (processes, people, and technology), which is requested by the other areas whenever there is a new opportunity of business or a new project.

“The great changes in Petrobras occurred because the security area started to speak the language of the business. The world changed, and we must adapt by giving due importance to the area inside the whole corporate context. In other words, we understand the company’s risk appetite, the best way to communicate with leaders and structure a good ecosystem”, remarked the Petrobras director.

Sêmola commented that the desire to show security value for the business is old. However, it emerged some years ago, at the wrong time, when cybersecurity problems didn’t reflect directly in the business. “Today, the moment is perfect because the Administrative Council and C-Level are much more aware of cyber risks and their consequences for the operations, finances, and reputation of companies,” added the E&Y partner.

What is the importance of data protection and privacy in the security ecosystem?

In information security, a fundamental aspect today is data protection and privacy because it ensures compliance with the General Data Protection Act (LGPD), a new law that still needs time of validity to generate jurisprudence, while the National Data Protection Authority (ANPD) is still polishing and regulating their requirements.

“It’s important to understand that the movement to adapt to LGPD warned companies on the relevance of information security for their businesses. That because accountability on data collection, storage, analysis, and processing increased, not only corporate data but personal data as well; and the understanding of the risks involved in these processes has also expanded,” says Daniel Motta. 

In the case of Eletrobrás, according to Motta, there was already a structured work on information security, in the compliance area, based on GDPR and its cases of jurisprudence, in addition to data protection laws from other countries. Since the company already counted on a mature structure, it was not necessary to remake the security ecosystem or have a specific LGPD project.

It was only necessary to follow the existing path, which already counts on constant assessments to ensure continuous improvement. “In short, we fitted in our risk assessment matrix those referring to privacy, as well as their reputational and financial impacts, in terms of the sanctions provided in the LGPD, to reduce to the maximum eventual calls from ANPD or due to other legislations in force,” explained the Eletrobrás DPO.   

Motta informed that Eletrobrás added only the management of privacy risks of holders, which contributes a lot to reducing corporate risks. “Our challenge was to explain this specific need to the board and show the relevance of communicating rules of personal data management to all managers of the company,” he added. Another essential measure at Eletrobrás was the inclusion of DPO in the whole company’s workflow, with the promotion of events and mandatory training on data protection and privacy in all areas.  

Sêmola also commented on Eletrobrás adoption of the MIST, a framework that organizes controls with five different functions: risk identification, asset protection, detection of ongoing risk, response to a materialized risk, and damage recovery. “Earlier, 20 years ago, only the two first functions of MIST were observed because, theoretically, they were sufficient to stop the risk at the start. Today, with the investment and destructive capacity of cybercriminal groups, it is essential to observe the five functions to minimize risks to the business,” he emphasized.  

How can risk management, information security, and data protection areas work jointly in favor of the organization?

“To do a good job as DPO, I need to have access to risk and cybersecurity reports, sponsorship for communication, and constant monitoring of data protection and privacy risks. That because, with these resources, we can draw the attention and win the support from the business areas to be more effective in our work, and better report to the board and administrative council,” concludes Motta.

Ibrahim agreed that communication with the other areas and involvement of the organization board is essential for the processes of risk management to work. “We classify relevant risk under three aspects: financial, regulatory, which includes LGPD, and perspective, where cybersecurity was always relevant, and with the pandemic became even more relevant,” informed the BV director. For him, this recognition makes it indispensable to know how to appropriately communicate risks to the top management, their volatile aspect, and the company’s vulnerabilities. That is, in addition to technical capacity, the CISO must be a good communicator of his/her analyses and measures to be taken for mitigation.  

To provide a more comprehensive and complete view of the need to invest in security to the board members. First, it is necessary to get closer to the company’s risk management area to understand how to risk identification, measurement, and classification are made. The second step is to know how to communicate using the language of the business areas to obtain a chair in the organization risk committee and then address subjects of the other sectors and contribute to the safety of all. The third step is to develop a routine of meeting with the different areas to convey the relevance of risks in each project clearly and objectively. “Inside a company, each area sees its business from its point of view, and you must understand that to efficiently communicate with them all, that is, be involved and present in all areas,” added Márcia.

The Petrobras executive reinforced that the technology area must apply the controls defined as necessary, whether from application security or data privacy. For this reason, IT must implement, execute and operate all security and privacy guidelines. The security area, in its turn, must see that they are applied and where the problem occurs on a dashboard to prioritize the decision to be made correctly. “The secret is to work together, synergetically, to meet and even anticipate the organization’s needs and expectations,” says the Petrobras executive. Sêmola concludes that “information security must be aligned with the company’s purpose.”   

What is the relevance of “Security by Design” and “Privacy by Design”?

The idea is that all companies adopt these two concepts in all their processes and apply them from the beginning of any project. Márcia affirms that “it is very important to include these concepts in the onboarding and collaborators integration program of the company so that they will be informed and trained since the moment of admission, requiring even a test and a given score to receive their credentials.”

Ibrahim confirms that they are essential for the safety of companies and should be absorbed by all talents of the company, who need to be guided to keep on practicing them in all actions inside the company. “Companies very often keep the focus on “Security by Design,” placing it in systems, but the right thing to do would be to include in all the company’s routines and processes, in the daily routine of professionals,” remarks Motta.

Summary

With the world digitalization and higher dependence on technological asset transactions, the volume and sophistication of cyber attacks have also grown significantly.

  • It is mandatory to prioritize the most valuable assets. To respond to the damages caused to digital assets, companies must adopt and constantly update their risks mapping, including processes of identification and assessment of each of them to escalate the management needs. 
  • The information security work must be advisory and should drive the business, not only make it feasible. Therefore, it is an area that must understand the company’s business, its future expectations, and its risk appetite, there is a need for a business connection.
  • Today, Administrative Council and C-Level are much more aware of cyber risks and their consequences for the operations, finances, and reputation of companies. The CISO plays an important role as the glue between the executive and the IT departments.
  • The entry into force of LGPD reinforced the relevance of information security to the business because it expanded the accountability for data collection, storage, analysis, and processing increased; not only corporate data but personal data as well; and the understanding of the risks involved in these processes has also expanded.
  • Risk managers, CISOs, and DPOs must be involved in the companies’ business areas to be more effective. It is indispensable to know how to communicate appropriately with the top management.
  • “Security by Design” and “Privacy by Design” are concepts that must be adopted today in all processes and since the beginning of any project.