Don’t Minimize Cybersecurity During M&A Deals

Don't forget to share this post!

In the excitement of working through a merger or acquisition (M&A) deal, it can be easy to lose sight of the tasks that are less flashy than negotiating a sale price or determining who the new CEO will be. Not paying attention to cybersecurity issues, however, can have potentially disastrous effects downstream, so it’s important to give them high priority during the M&A process. 

Oak Street Funding’s Adam Farag (Vice President of Strategic Markets) spoke with cybersecurity experts Ben Phillips, of Katz Sapper & Miller CPAs and Advisors, and Cody Rivers, of Reveal Risk, on a recent OnPoint podcast to get their insights into this important topic. Here are some of the points they shared:

Current cyberthreat environment

Companies are increasingly vulnerable to losses because of attacks on, or via, third parties, such as software providers. As systems become more and more intertwined, a breach in one firm’s security can potentially open the door to attacks against companies connected with it. Even without a direct breach, a company can face major losses due to a cybersecurity incident affecting a crucial external partner, such as an essential software provider, causing that partner to fail or shut down.

Another major cybersecurity threat is ransomware, where an attacker breaches a firm's systems and data, encrypting or otherwise blocking access until a ransom is paid. A growing form of ransomware is the “RansomFake“ in which a cybercriminal uses AI to create a deepfake video of a company employee doing something embarrassing or illegal. The bad actor threatens to make the video public unless the employee divulges a password or provides another form of access to their employer’s systems.

How to evaluate a target company’s cybersecurity

During the due diligence phase of M&A, it’s crucial to thoroughly vet the target company’s cybersecurity. In our podcast, Rivers suggested focusing on three primary elements of cybersecurity: people, process, and technology. While technology has been improving, he noted that people and process have further to go. “Process isn’t the sexiest part of cyber,” said Rivers, but it is vital. He stressed the importance of a target company documenting its processes and fully training all employees in them.

Phillips encouraged potential buyers to ask point-blank questions of the target company. “Are you aware of any security incidents you've had in the last six months? What about the last three years? Do you have policies that you follow or are they just policies that you have because you must have them?” He also recommended the use of asset discovery tools to identify and classify all IT (information technology) resources within the target company and the implementation of data breach detection tools to disclose any past or continuing vulnerabilities.

Both experts agreed on the importance of having a methodical approach to assessing a target’s cybersecurity. They recommended having a prepared list of questions, not just talking off the cuff. They also pointed out that doing a cybersecurity audit on one’s own company ahead of M&A would be an excellent way to prepare for evaluating a target.

How cybersecurity can impact valuation

The cybersecurity compliance requirements of the target company can present significant expenses post close, which could reduce its valuation. For example, if a target company has a single client that requires compliance with CMMC (Cybersecurity Model Maturity Certification) rules, the entire company must follow those requirements as well. That means that the acquiring firm must also extend those cybersecurity requirements to its entire operation.

Upgrading to a higher level of cybersecurity compliance can be costly, and buyers should take those potential expenses into account when negotiating a purchase price. This consideration is especially important because the upgrade would need to take place immediately upon closing, when the buyer’s liquidity could be limited.

Additional considerations to look out for during M&A

As a critical part of the M&A process, a comprehensive transition services agreement (TSA) must be established. This document is essential for defining the roles and accountability for all tasks during the transition. Critically, it must assign responsibility for managing a potential data breach and stipulate which party will lead the necessary public relations response.

Other questions to answer include: If the buyer and target use different software vendors, which one will be used going forward? How will Enterprise Resource Planning (ERP) of the two companies be integrated?

Prioritizing cybersecurity

Cybersecurity should never be an afterthought in M&A dealings. It’s a vital part of a firm’s success, and it should be evaluated as stringently as any other aspect of the business.

Ready to take the next step? Contact us or book a call today!