Across most industries, M&A deals have been on the rise. Recent tax changes, a looser regulatory climate than years past and increasing cash reserves have spurred activity and optimism among U.S. dealmakers. And the uptick in mergers and acquisitions is expected to continue.
But, as we’ve learned with Marriott’s acquisition of Starwood and the massive data breach (and fines) that later ensued, any business navigating a potential acquisition in this day and age must make cybersecurity part of the deal.
A recent report by West Monroe, which surveyed 100 senior global executives in early 2017, found that cybersecurity continues to be a major issue in relation to M&As, both in due diligence and after the deal closes. The report goes on to say that cybersecurity was the number two reason software M&A deals were abandoned, and the second most-common reason buyers regretted a deal.
So, it could be safe to say, that the strength of a company’s financials is just as important as their cybersecurity. Below are a few considerations for any company navigating an acquisition:
Securing the Deal
- Seek companies that have cybersecurity at the executive level: An early sign of a company with strong cybersecurity practices is one that has prominent security leadership within its executive team and at the board level. Look for alignment of security leadership and company goals.
- Bring in the security team early and often: Many companies wait until the end of the deal making process to check out the company’s security posture. Create a vetting process that evaluates the company’s cybersecurity just as it would the financials as early as possible. This helps save everyone valuable time and energy.
- Conduct a thorough audit: Gain a complete understanding of the company’s security posture through a proper audit. Review past reported attacks, breaches and the size of the attack surface. Compare security policies, technologies and procedures and look for ways to close gaps that exist.
- Evaluate the impact of regulations and risks and the company’s compliance to required regulations: Ensure the company is following current regulatory guidelines and determine whether any new state laws will impact the company’s business and handling of information. For example, how has the company implemented policies and controls to meet the requirements of the European Union General Data Protection Regulation (GDPR)?
- Determine how IT systems and data will be consolidated and protected: As you move further into the deal making process, discuss how critical IT systems and data will be merged, consolidated and protected. Evaluate the resilience of IT and the ability to recover after a disruption, such as a natural disaster, ransomware or other attacks to the business.
- Check for security posture and composition of the company’s software: Every business today is a “software business” in that software plays a significant role in how companies commercialize their value to customers. For businesses acquiring software or website assets, leverage AI to speed up and test for the discovery of software vulnerabilities and take steps to remediate them as quickly as possible. This is the most common reason for a data breach. The other area is getting visibility into the composition of the software. What open source or third-party libraries are being used that could introduce vulnerabilities or intellectual property and licensing risks? These items can have a material impact on the viability of a deal and certainly the value of a transaction. Therefore, it is critical to use an Application Security solution that can provide software composition analysis (SCA) insight.
- Look on the inside: Check how internal security is handled for the company’s own employees. Determine if they employ and encourage safe security practices. Do they have documented security policies and offer training and best practices for secure data management, as well as their own security?
- Consider the impact to the workforce – Will some employees be laid off as part of the acquisition? Ensure that you have a plan in place to communicate security policies if some employees will be let go as part of the acquisition, so they do not become a risk to the business down the road.
There’s no doubt a merger or acquisition can be highly beneficial for both parties involved. But with our reliance on technology and the uphill battle we face with cyberattacks today, security must become equally important to evaluating the strength of a company’s financials during the deal making process.
Have you read?
# Top 500 Best Universities In The World For 2019.
# Rich list index: Meet the richest People the the world 2019.
# Russia’s Rich List 2019: Wealthiest People In Russia.
# The 100 Most Influential People In History.