Cybersecurity Perils of M&A

Avatar for Keith Delahunty
By Keith Delahunty Senior Product Manager
April 11th 2024 | 5 minute read

In this continuing series on cybersecurity with Arnaud Wiehe, author of The Book on Cybersecurity and Emerging Tech, Emerging Threats, we explore the underappreciated cybersecurity risks that can arise any time firms engage in M&A activities.

It’s a familiar story for any homebuyer. After intense scouting you find your ideal house. It’s the right size. In the area you want to be. The place could maybe use some updating, but the price is attractive. And other prospective buyers are circling, so you need to move ahead, fast.

Pulling the trigger without proper due diligence first though risks courting disaster. A technical inspection may uncover subsidence issues, dry rot, a termite infestation, faulty pipes. That dream property could quickly turn into a money pit.

Overlooking cybersecurity in any mergers and acquisitions targets holds similar dangers, noted Arnaud Wiehe, author of The Book on Cybersecurity and Emerging Tech, Emerging Threats.

Just ask Verizon. Its 2016 deal to buy Yahoo was delayed by months as it assessed the fallout from two huge, previously undisclosed Yahoo data breaches. Verizon eventually paid $4.5 billion for the company, $350 million less than its original offer. And under the amended deal terms, Yahoo remained responsible for liabilities from shareholder lawsuits and SEC investigations stemming from the breaches.

Why prioritize cybersecurity during M&A transactions

Most financial institutions will be involved in M&A activity at some point – perhaps multiple times. The usual rationale is some variation on the growth and synergy theme: whether it’s an opportunity to move into new asset classes, new geographies, to gain new skills or a bigger customer base. Cybersecurity costs and their potential implications often get ignored amid the scramble for growth.

“But they need to be factored into the calculation of whether the acquisition makes sense or not,” Wiehe advised.

Failure to understand the costs and risks of any defense weaknesses can damage not only your company’s finances but its reputation. An organization with weak cybersecurity practices is more vulnerable, potentially devaluing its worth, observed Wiehe – as seen with the Verizon/Yahoo tie-up. Overlooking cybersecurity could also expose firms to legal liabilities, especially if data breaches occur post-acquisition, he added.

Merging cybersecurity

Merging firms usually have different cybersecurity hygiene levels. Cybercriminals will target the weaker partner as an easier access point, so post-acquisition the cybersecurity frameworks need to be equalized at the highest level as fast as possible.

“During that transition you’re actually quite vulnerable,” warned Wiehe. “There are two worlds colliding, with different infrastructures, different capabilities, perhaps different approaches, and they don’t always understand each other that well.” Sharing data during the M&A process is a prime risk point, he added. “Doing so without the right precautions could expose valuable intellectual property or sensitive data.”

The clean up, to get the merged entity to the desired security standard, can take considerable work. Take a common example, of one company with Microsoft endpoints and another with Mac ones, said Wiehe. “When you bring the two environments together, you now have to manage Mac and Microsoft operating systems. You end up with two types of tooling for endpoint protection, maybe two different antivirus systems. That ‘technical debt’ is messy. It’s also expensive to get to one unified set of systems, processes and people supporting your environment.”

And this complexity arises from just one acquisition. Making multiple acquisitions results in a panoply of tools, and more people to support them, unless the organization can get to a unified infrastructure, cautioned Wiehe.

Ensure proper protections

Which makes it so important for firms to conduct a thorough cybersecurity assessment of their proposed partners before diving into any M&A commitment.

Areas Wiehe highlighted include:

  • Technical compatibility: Understanding the make-up of your acquisition target’s technology stack is crucial. Risks stem not just from what they have but how it will mesh with your existing infrastructure. How difficult and expensive will it be to bring the environments together and protect them?
  • Network & cloud considerations: How does the target structure and host its infrastructure? Is its technology mainly on-premise or cloud-delivered? Examine everything from its legacy devices to cloud security to ensure you aren’t inheriting a technical nightmare.
  • Identity management: Evaluate access protocols, password policies and overall identity management to guard against security lapses. One company may use five-character numeric log-ins; the other a 10-character alphanumeric. Do you bring these together?
  • Compliance: Familiarize yourself with the applicable laws, regulations and compliance history of the target organization. Firms that operate in different countries and/or sectors will have distinct compliance obligations.

Sometimes an M&A tie-up can be a gift, said Wiehe, where you acquire a company with a better cybersecurity framework that allows you to quickly springboard your own capabilities. Where it’s the opposite, any cybersecurity deficiencies can be a major hazard.

About Arnaud Wiehe

Arnaud Wiehe is an author, speaker, consultant, and thought leader in cybersecurity. He has worked in leadership and cybersecurity roles for major global companies, including as a CISO for multiple years. He holds several prestigious cybersecurity certifications, including:

•Certified Information Systems Security Professional (CISSP)

•Certified Cloud Security Professional (CCSP)

•Certified Information Security Manager (CISM)

•Certified Information Systems Auditor (CISA)

•Certified Fraud Examiner (CFE)

Throughout his career, Arnaud has demonstrated a strong focus on cybersecurity best practices and keeping current with emerging trends, technologies, and innovation. He is a graduate of the Singularity University and a member of the Association of Professional Futurists. He is widely respected by his peers as an expert in cybersecurity and IT governance.

Arnaud is also an enthusiastic amateur musician and luthier. He plays the violin, viola, cello, and mandolin. He has made two violins, a viola, and numerous bows.

Keith Delahunty
Keith is responsible for all aspects related to Transfer Agency, driving product development, vision, strategy, & execution across Deep Pool applications. Keith holds a master’s degree in finance & has extensive experience working in Private Equity, Alternative & Retail asset classes.