This is the first part in a series of posts looking at the cybersecurity risks throughout the stages of mergers and acquisitions.
Mergers and acquisitions are steadily growing worldwide. Over 62,000 global mergers and acquisitions — valued at $5.1 trillion — happened in 2021, according to PwC.
This trend doesn’t appear to be slowing down in 2022. And neither are the cybersecurity issues posed by these deals.
The cybersecurity risks related to mergers and acquisitions are real. And expensive.
There are countless examples of cybersecurity incidents that upended mergers and acquisitions. For example, Marriott International was hit with a database breach in 2018 that affected up to 500 million guests of its Starwood hotels, which it acquired in 2016. After an investigation, it was discovered the breach started in 2014 — before the acquisition. Marriott International was later fined £18.4 million ($23.8 million) by the U.K. Information Commissioner’s Office for failing to implement appropriate measures to protect customers’ personal data.
Protecting all assets — workstations, cloud services, software, users, and more — wherever they’re located is essential. This directive only heightens when organizations merge or get acquired.
So it’s crucial to understand what each organization has for assets before they enter into a contract to merge or be acquired. For the acquiring organization, it’s knowing about the assets included in the deal so their IT and security teams can identify any cybersecurity risks.
The focus for the other organization is on vulnerabilities: what and where they are, testing for them, and remediating the risks.
When it comes to discovering the cybersecurity risks for mergers and acquisitions, timing is pivotal. So is the timing for involving IT and security.
CIOs, CISOs, and their teams are key to safeguarding all the assets involved in mergers and acquisitions. This also includes the organization’s reputation.
But in some cases they’re not involved or don’t even know about mergers and acquisitions until late in the process. There are different reasons, and one includes the secrecy that often comes with negotiations.
Yet cybersecurity assessments sometimes come in the later stages of a merger and acquisition. Over 50% of organizations wait until they’ve completed due diligence to investigate and identify any cybersecurity and data privacy risks and liabilities, according to IBM’s Assessing Cyber Risk in M&A report.
That decision only creates problems (hello, security and compliance issues!), and can lead to data breaches once a merger or acquisition is complete. This all could result in damage to an organization’s brand and reputation, financial loss, regulatory fines, legal action, and more. And it goes without saying, but all of these potential liabilities negatively affect the bottom line of these deals.
Getting IT and security teams involved earlier in the process helps strengthen protection, assessment, and regulatory compliance for the planning stage of a merger and acquisition, as well as during the following stages. For these teams, mergers and acquisitions are as much about the business perspective as they’re about the technology, security programs, and cybersecurity risks, according to Lenny Zeltser, CISO at Axonius.
“As a security professional, I tend to worry and that’s what we do,” said Zeltser during an episode on Techstrong TV. “We’re really good at thinking about all the ways things can go wrong. We think about risks. If I’m part of the acquiring entity, I worry about what we get in terms of risk. Does this strengthen or weaken my security program? Could the acquired entity already be breached and now all of a sudden I’m dealing with an incident?”
“That’s one way in which security professionals are thinking about the situation: what can go wrong and what are the big risks,” he continued. “But I’m looking at this in another perspective: how can I as a security professional enable the business objective.”
"Culture is the foundation for any high-performing team. We all process information differently, we listen differently. We come from different backgrounds and experiences. No matter who you are, I want to know that. I want to understand what makes you you and treat you the way you want to be treated, not how I project myself onto you.”
— Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA)
“[Create an environment] where people can understand when they can take time off and not feel like everything is going to fall apart. [Where] they have a plan for their career and how they’re going to grow. [Where] they have time to be with their friends and family enough not to be burned out."
— Deidre Diamond, founder and CEO of CyberSN and Security Diversity
“Actively invite engagement, listen with purpose, and look for signs of burnout. You can't expect everyone to feel equally comfortable expressing an opinion, and so it's important to solicit feedback at times as opposed to always passively expecting it. When you are getting engagement, listen with purpose. Make an effort to not only hear what's being said, but understand and empathize. Lastly, look for signs of burnout. … If you're noticing signs of burnout on the team, look for ways to intervene, like ensuring adequate team resourcing/load balancing to create a healthy work/life balance for everyone, and that team members are able to take PTO."
— Daniel Trauner, senior director of security, Axonius
“We need an environment where failure is not only tolerated, but an understood aspect of innovation. Our attackers are failing forward every single day, [and] we deserve the ability to do the same if we are going to protect our people, data, and organizations.”
— Chris Cochran, co-founder at Hacker Valley Media and creative director at Axonius
41 Madison Avenue, 37th Floor
New York, NY 10010