M&A Process Changes: Assess Digital Risk Before You Make That First Call

Information and cybersecurity audits are a fundamental part of the M&A due diligence process. Given the impact of a breach on potential valuation, market acceptance, public relations and brand value, the security posture of a business being considered for an acquisition is a key element in understanding the liability, risk and value of the business.

The most famous case where a data breach dropped a stink bomb into the whole M&A process was when Verizon was in talks to acquire Yahoo! In this case, it was actually two data breaches, impacting more than 3 billion user accounts, which were disclosed during acquisition negotiations. Ultimately it caused Yahoo! to decrease its sale price by $350 million while also gaining responsibility for 50 percent of any damages resulting from subsequent litigation.

As damaging as the Yahoo! data breaches were, Verizon was fortunate to find out about them before they closed the deal so they could revise the acquisition price. This usually does not happen, often due to acquirers not prioritizing vigorous cybersecurity assessments as part of the M&A process. The norm is for data breaches and other security and compliance issues to be discovered after the fact, once the acquiring company’s personnel have the time and resources to really take a look at the acquired company’s infrastructure.

A vivid example of this “after the fact” surprise was the recent Marriott breach, during which the company learned that the systems of an acquired company, Starwood, were compromised at the time of the deal. Bloomberg Intelligence estimates that the damages caused by regulatory fines ($123 million for GDPR alone) and remediation costs will be approximately $1 billion, or 8 percent of the $13.6 billion deal, or roughly the equivalent of Starwood’s annual profits at the time of the acquisition. While this is the most recent headline-grabbing example of a good deal gone bad, it is hardly the only. According to a Forescout survey of 2,700 IT decision-makers, 65 percent reported that their companies had experienced buyer’s remorse after an acquisition due to cybersecurity issues discovered after the close.

If Only…

Cybersecurity has been an afterthought for some acquirers because of the time, cost and effort required to do a full assessment of a company’s systems, processes and risk profile. This process can involve countless person-hours, surveys, compliance checks and scans of devices and network elements. This process also typically involves a third-party consulting organization, legal teams and various disclosure documents that are sensitive to the business. This heavy-handed approach can slow down deals and cause acquirers to either bypass it all together or wait until the acquisition process is far enough along to justify the spending in time, money and resources. However, as we see the damage security issues can cause to deals, it would be best for companies to understand the severity of any issues early in the process – or even before they begin. (Some issues can be so bad that acquirers should not even waste their time and money in opening discussions.)

Additionally, for institutions that are evaluating multiple companies for acquisition and are at an early stage in the process, it is not only too cumbersome and expensive to attempt to do a traditional security assessment for each company, it is also risky: They might not want the target companies to know they are being considered for acquisition.

If only there was a way to evaluate the security and compliance postures of target companies in a way that is efficient, cost-effective and private. Well, it turns out there is: Use targeted threat intelligence to look outside the company for signs of security vulnerability and compromise.

The Digital Risk Footprint Tells All

I have long argued that cyber intelligence data reflecting a customer’s digital risk footprint is a surprisingly accurate litmus test of a company’s security program efficacy. Think of the digital risk footprint as the security program’s shadow. A company’s digital risk footprint consists of the enumeration of that organization’s leaked data, credentials, intellectual property, fraudulent domain names, fraudulent mobile applications, vulnerable internet-facing assets and other items that should generally be kept inside and within the enterprise perimeter.

While it is inevitable that, in some capacity, sensitive data is going to leave a corporate network, an effective security program will minimize that outcome and put in place proactive measures to mitigate future and potential risks prior to them becoming an issue. An example of this would be the detection and takedown of domain name registrations that are variations on the true corporate domain, often “weaponized” to perform phishing campaigns.

The benefit of measuring a potential acquisition candidate’s digital footprint via threat intelligence is that it is a very lightweight and noninvasive, sometimes undetectable, process. It is also a virtually invisible process, because the data that is being gathered already exists outside the corporate network and can be easily discovered by those who know where to look (dark web, social media, open web, underground channels, etc.) Best of all, none of this requires the permission of the companies in question, so there is no need to notify them and reveal that they are being considered for acquisition.

This method of assessing a company’s digital risk and security program is ideal for evaluating large numbers of potential acquisition targets, either before or early in the traditional due diligence process. This process can be enhanced to provide real-time monitoring of the candidate throughout the acquisition process to track changes in security health, as well as any leaks related to the transaction as it progresses.

Fast, Easy and Smart

Discovering the potential acquisition target’s exposed data and intellectual property can be a fast and easy way to determine whether or not the acquisition process should move forward. In addition, it can save enormous sums of money in due diligence costs in comparison to a security audit and can avoid the worst-case scenario of a good deal turning bad after the close of the acquisition.

If you are an acquisitive company or an investment bank, you should take a look at digital risk measurement as an early step in the M&A process. It will give you the information you need to determine the overall security health of an organization and the security liability you may need to consider as part of the transaction.