05 Mar The Cyber Security Risk of Merger and Acquisition
In the case of a merger or an acquisition, from the Cyber Security perspective … Buyer Beware!
Cyber risk assessment and due diligence is now on a par with financial due diligence of any business in the process of merger and acquisition.
Notifiable Data breaches, consumer privacy complaints and ransomware attacks can cause very significant financial loss to a business in direct and indirect ways.
Marriott Hotels acquired Starwood (SPG) and its 1,200 properties in 2016 for $13 billion. In 2018 the group reported the largest data breach for the year, disclosing a cyber hacking incident where up to 383 million guest’s personal details were affected, with the data stolen from the Starwood guest reservation database it acquired in 2016.
Shares of Marriott lost 5.6% in the premarket trade when the data security incident was reported, not to mention the reputation damage done to the business.
With growth in most industries depending on current and new technology, such as artificial intelligence, advanced analytics, and the Internet of Things (IoT), it also exposes companies and their customers to new kinds of cyberrisk, arriving in new ways.
Sense of Security provides cyber security consulting and boardroom level advisory in several assignments related to merger, acquisitions and protection of Intellectual Property. All Board Members should consider the 5 key cyber security due diligence items listed below in any merger and acquisition process;
1.Perform Cyber Risk Assessment
Perform a Cyber Risk Assessment to understand if further investment is required to uplift cyber security defences in the business to be acquired or merged. The risk assessment will identify the cyber security posture of the business to be acquired.
- A Cyber Risk Assessment involves;
- Understanding the cyber threat landscape of the business;
- The maturity of the current cyber security management practices,
- Security operational processes; and
- Cyber risks of the IT technology the business maintains.
Cyber risk assessments are often followed by a cyber security strategy plan or roadmap which will provide Board Members crucial guidance to the business plan.
2.Review information security compliance and data security legislative obligation
Depending on the industry, and the business to be acquired, a comprehensive review of the state of compliance aligned to cyber security standards relating to regulatory obligations and data privacy. This will ensure that the business acquirer fully understand the compliance obligation it will need to consider, and management oversight it requires to manage business integration in the most optimal approach.
3.Perform Cyber Security Review of Supply Chain Management
If significant revenue streams are dependent on either a 3rd party managed services or a delivery partner, performing a cyber security review of these significant partners to ensure business decision are not blind-sided by cyber risks which are not directly visible by the business.
Third party cyber security reviews often call out cyber security management gaps which may not be very clear in existing contractual obligation and those which may put the business acquirer at risk. It impacts the speed of how a cyber incident is responded to, and how a cyber incident should be reported in the new business.
4.Protect Intellectual Property from Cyber Threats
It’s common in the merger and acquisition process to evaluate software products and/or IT technologies which underpin the business to be acquired. Apart from holding software in escrow, it is recommended that a cyber security source code review is performed to ensure that there are no intentional malicious codes which could jeopardise the future of the software products.
Similarly, a series of cyber security testing must be performed on the IT technologies to be inherited in the acquisition and assurance process to ensure that any vulnerabilities which may impact the future operations of the acquired business are identified and addressed.
5.Board Level Cyber Security Advisory
Engage an independent cyber security advisor to advise the Board on cyber security matters in the merger and acquisition processes. This will ensure cyber risks will be identified early in the commercial process.
Often, the cyber risk items will impact in the total cost of acquisition of the business and may influence the speed of integration and investment roadmaps.
Board members and business advisors should make cyber security and data privacy a priority in business mergers and acquisitions.
The board should equip themselves with the right questions to understand cyber risks and make decisions which could make a difference in a valuation of a business.
Sense of Security is Australia’s leading cyber security advisor who can guide board members and business executives in mitigating cyber risks in business mergers and acquisitions.