Mergers and acquisitions (M&A) remain a key strategy for businesses growth and expansion into new markets. In the first half of 2016 alone, M&A deals involving Indian companies increased by 82 percent to $27 billion. The Indian government is contemplating the merger of state-run oil producers and refiners to create a stronger national firm, while the State Bank of India hopes to complete its merger with five associate banks by the end of the 2016. With acquisitions such as Quickr buying CommonFloor and Myntra acquiring Jabong, we should expect the M&A trend to continue.
The typical M&A addresses risks from many angles: litigation, workforce issues, environmental regulation violations, to name a few. Yet all too often, business risks stemming from cyber security incidents are overlooked. The truth is, acquiring companies often bring on an unwanted asset: outside attackers operating in the network of the acquired company.
Why is a security breach bad for an M&A deal?In the worst case scenario, the target company is compromised by an unknown attacker and sensitive data or intellectual property has already been stolen. This can make the deal net negative and could compromise the acquiring organization as well.
If a company is an acquisition target based on the value of their intellectual property, a compromise could mean that valuable intellectual property is no longer exclusively theirs. After a breach, competitors could have obtained the most valuable data. To make matters worse, the attackers can gain a foothold into the buyer once the companies' computer networks become integrated.
In other instances, the target company has suffered a previous breach that is only revealed to the buyer after the purchase, or the target company is host to an attacker that maintains a presence in the environment, watching and waiting. There are also incidents where attackers destroy critical business systems, leak confidential data, hold companies for ransom, and taunt executives, or the acquired company has a systemic cyber security issues stemming from a weak or nonexistent security program.
Weak oversight will, over time, create vulnerabilities across many security areas that will take time to fix.
What can be done to mitigate cyber security risks?It is important to ensure that cyber security risk assessment is an integral part of an M&A process and to recognize that it is no longer an optional excertise. If the reputation of a brand or the operations of a firm are damaged by a cyber security breach, it could have a significant impact on the balance sheet and brand reputation.
Cyber security due diligence provides assurance that the target acquisition is not currently breached, and the acquisition would not compromise your current brand, IP or data. It can also give companies a powerful lever in negotiations over the value of the business. Security assessment during an M&A helps organizations assess and reduce risk and address potential security gaps throughout the merger or acquisition process.
Some of these precautions to be kept in mind during M&A are:
" Threat detection & response to evaluate the maturity and thoroughness of a target organization's response processes and technologies
" Access controls to identify whether proactive controls have been established to prevented unauthorized access to sensitive data
" Infrastructure security to ensure that effective controls are in place from network to endpoints to prevent compromise
" Data safeguards to determine if proper capabilities exist to identify, monitor and protect high-value information assets
" Partnership with legal firms to allow companies to be ahead of the curve prior to a breach or security event
By ensuring M&A cyber risk assessments are an integral part of their plans, companies can minimize business risks and steer clear of common mistakes in this area.
The security risks associated with M&A will not go away, but India Inc can better protect its balance sheet and brand reputation by examining the cyber security aspects of these deals.
Guest Author
The author is Senior Regional Director, India and SAARC, FireEye