The due diligence process for mergers and acquisitions (M&A) has long included a review of an acquisition target’s cybersecurity practices and potential risks. The news a few weeks back that Equifax will be paying a record $650 million settlement for its negligence in the 2017 data breach is a reminder of what can be hiding in a poorly-vetted acquisition target. As the cost of breaches climbs, companies involved in M&A are taking a fresh look at the role of security in the due diligence process.
I spoke with people involved in cybersecurity M&A due diligence about what they consider important in the process today. According to Michael Corey, a Partner at PWC and a Cybersecurity and Privacy Risk Assurance Liaison, cybersecurity is a topic of increasing focus in M&A. “It’s not a new topic, but we’re getting asked about it a lot more this year,” he explained. “Law firms want to know about, as do private equity funds. There’s been an increase in concern. We did more cyber due diligence work in the second half of 2018 than we did the entire previous year.”
“We did more cyber due diligence work in the second half of 2018 than we did the entire previous year.” Michael Corey, PWC
How Cybersecurity Potentially Affects M&A Transactions
Cybersecurity issues potentially affect M&A in a number of ways. Given how costly data breaches can be in both tangible and intangible terms, acquirers want to get as much certainty as possible about the risks they are buying in a deal. “A damaged asset is worth less,” said Sean Wessman, a Principal at EY’s Americas Risk and Cybersecurity Practice. “If you’re agreeing to pay $5 billion for a company, but you then discover a billion-dollar cyber remediation, that deal should now be set at $4 billion. At the very least, you want the deal terms to give you the ability to claw back some of that money if the vulnerability becomes that expensive.”
As Wessman explained, clients want to understand the potential for risk as well as insurability in an M&A transaction. They want to understand the costs they may incur if they are “infected” by a target company. “No one wants to kill a deal over cyber, but we are getting asked ‘who will pay, and when?’ if there’s an issue down the line,” he added. “Remediation is becoming part of the valuation and deal closing processes.”
“No one wants to kill a deal over cyber, but we are getting asked ‘who will pay, and when?’ if there’s an issue down the line.” Sean Wessman, EY
The Evolution of Cybersecurity as a Factor in M&A
“Cyber used to be a check box in due diligence,” remarked Andrew Morrison, Principal in Deloitte’s Cyber Risk practice. “In some cases, it still is, but increasingly, client want to understand the risks they getting in a deal and they want to quantify them.” Morrison also noted that review of an acquisition target’s fraud prevention methods and its cybersecurity policies, two separate areas of due diligence, are now merging.
Peter Evans, Chief Marketing Officer at Optiv, felt that cybersecurity is looming much larger in M&A due diligence because acquiring companies are seeing the costs involved in remediation and compliance shoot upwards. “We’ve been brought into deals where the projected costs of cyber remediation are approaching about half of the total revenue of the acquisition target!” he said. “That a huge burden, a dollar amount that has to figure into the cost of acquisition and budgets for venture integration.” As he further noted, this should serve as a warning for companies that defer cyber preparedness. “If you don’t invest in cyber now, you may take a haircut when you get acquired.”
“We’ve been brought into deals where the projected costs of cyber remediation are approaching about half of the total revenue of the acquisition target!” Pete Evans, Optiv
When to Bring Cybersecurity Analysts into the Due Diligence Process
As cybersecurity’s importance rises in M&A due diligence, companies are bringing cybersecurity analysts into the process earlier. “We used to do cyber at the ‘sign and done’ stage of a deal,” said EY’s Wessman. “Now, we’re getting asked to review security policies and so forth much closer to the start of due diligence. The assumption is we may turn up issues that need to be addressed as the deal moves toward the close.”
Another factor that can affect the timing of cyber due diligence is a change in vulnerability as companies announce a merger. “You’d be amazed at how many hackers spring into action once they see that a company is in play,” observed Michael Corey. “It’s the fog of war. Malicious actors know that there will be security audits and granting of temporary network access to outsiders, so they take advantage of the situation to penetrate networks. The integration phase can be even more dangerous, as companies combine IT departments, giving hackers cover to impersonate administrators. You want to make sure things are well locked down before the due diligence process gets too far along.”
“Cyber used to be a check box in due diligence,” remarked Andrew Morrison, Principal in Deloitte’s Cyber Risk practice. “In some cases, it still is, but increasingly, client want to understand the risks they getting in a deal and they want to quantify them.”
Cybersecurity Due Diligence Practices
According to Michael Corey, the cyber security aspect of M&A due diligence is an exercise in prioritization. “Some issues may need to be addressed immediately,” he said. “Others can wait. It depends a lot on the structure of the deal. If the acquired company is going to run as a separate, wholly owned subsidiary, it may not be such an emergency to fix a vulnerability.” At the same time, he pointed out, any breach that could affect the acquiring company’s reputation should get a high level of attention early on.
In general, the cyber due diligence process looks for capability gaps and differences in cyber maturity between the acquirer and the acquisition target. “You look at the full spectrum of cybersecurity,” Corey added. “Look for areas where the acquirer might need to bring the target company up to a higher maturity level. This will cost money, which should be factored into the deal.” Sometimes, his team will conduct penetration tests on the acquisition target to identify vulnerabilities while also framing the risk factors to the acquiring firm.
Some of these concerns bleed over into venture integration. The specifics of remediation fall outside the purview of due diligence, but it’s wise to understand the consequences of an issue up front. “You really want to have a conversation between the two companies about how they’re going to execute on remediation before they sign the deal,” Corey explained. “If nothing else, you may surface some differences in perspective and approach that will have to get worked through when the companies merge IT and security operations.”
Roark Pollock of Ziften, the endpoint security provider, takes a different approach. “You want to know what the target company has deployed,” he said. “This may seem a bit ‘down in the weeds,’ but it can be a real eye-opener to scan the network and see just what they’ve got running. Sometimes, the target company doesn’t even know fully what devices they have—and that can be a big risk factor.”
The unmanaged asset discovery process Pollock suggests can drive a forensic process that creates a post-deal remediation plan. “You can also do a systematic vulnerability assessment once you know the full asset inventory,” Pollock added.
Sean Wessman, of EY recommends augmenting the review of the target company’s IT assets with an assessment of their supply chain and partner networks. “When you acquire a company, you’re also acquiring their connections with all sorts of other entities,” he noted. “In the same way that financial due diligence analyzes contingent liabilities, cyber due diligence should do a careful evaluation of app-to-app connections and the like.”
Who should be involved? The major consultancies each approach cyber security due diligence a little differently. EY has a transaction advisory service (TAS), which executes due diligence via the firm’s cyber practice. PwC is the opposite. It has a group within the cyber practice that specializes in due diligence. Deloitte uses a combination of consultants as well as people from managed services groups. Andrew Morrison explained that this approach results in an end-to-end due diligence process. “We move from identity management, to risk, infrastructure, strategy and response,” he said.
“It can be a real eye-opener to scan the network and see just what they’ve got running. Sometimes, the target company doesn’t even know fully what devices they have—and that can be a big risk factor.” Roark Pollock, Ziften
Culture, Deal Momentum and Personalities
All due diligence workflows deal with tight timelines as well as pressure not to be a “deal killer.” As Sean Wessman noted, “There’s a lot of momentum in these deals. You have a duty to do your best work, and inform the parties about risks, but as everyone gets closer to the closing time, the go/no go decision, things can speed up a lot.”
For Peter Evans, the issue is sometimes one of personality. “CEOs who make deals are used to taking risks,” he said. “That’s probably one of the reasons they’re at the top level. You may be dealing with a ‘go-go’ mentality, where people don’t want to put the brakes on a deal even if serious risk is revealed.” What can be done about this? Evans feels that offering a sensible remediation is a way to factor cyber risk into a deal without stopping the process.
“In some ways, the M&A process reflects the broader dialogue, or in some cases, tension, between security managers and the board, Evans added. “Each side may not fully understand the duties and risks faced by the other. Our role, sometimes, is to mediate a discussion that can advance everyone’s agenda in a healthy way.”
“In some ways, the M&A process reflects the broader dialogue, or in some cases, tension, between security managers and the board.” Pete Evans, Optiv
Thinking Through the Post-Close Integration
The fragile nature of security makes it advisable to think in concrete terms about the structure and duties of the merged security organization after the close of the deal. Given that malicious actors have their eyes on the newly combined entity, it’s not a good idea to defer the details of integration. This process should include clear discussions of responsibility and detailed assessments of systemic integration that affects security.
The review of post-close integration involves resource allocation. These conversations should ideally be driven by the goal of reducing risk to acceptable levels. One potential outcome of the process is to keep the IT and security organizations separate until the details can be worked out. This is preferable to rushing a merger of IT and security that might inadvertently expose the entity to risk.
Looking Ahead to Future Deals
For experts in the cyber due diligence field, the risk environment doesn’t appear to be getting any better. “We’re now routinely getting into risks posed by nation state actors,” said Optiv’s Peter Evans. “It’s new territory for a lot of people, especially folks who just want to do an M&A deal and run a business. All of a sudden, you’re talking about why a foreign intelligence service might be targeting them.” Advanced Persistent Threats (APTs) are also now a part of the conversation.
Cyber security is also increasingly a part of post-merger business plans. Evans commented, “If a company envisions leveraging 5G as their going-forward strategy post-close, just to name one example, it’s wise to walk the client through what that might mean in terms of network and data asset protection. It’s a board-level conversation, because there could be strategic and capital investment consequences to the thought process.”