Cyber due diligence: the role of security in M&A activity

How to manage risk in potential acquisitions.

The total value of global merger and acquisition (M&A) deals announced in 2021 was $5.8 trillion, according to Refinitiv, significantly surpassing the $3.59 trillion in 2020[1]. With such an increase in activity, there’s the potential that, at some point in its lifetime, your organisation will be involved in an acquisition — whether as an acquiring company or a target.

The process of acquiring a business involves comprehensive due diligence, which has traditionally focused on the legal, commercial and financial aspects of a target business. Although technology and IP asset appraisal have also increasingly been considered in recent years, there’s one element that’s commonly overlooked despite the risks it can present for an acquiring organisation: cyber security.

Today, with increasing regulatory, investor and customer requirements, it’s critical that an organisation’s cyber security posture is properly considered in potential acquisitions. This was emphasised in a high-profile example earlier this year when the major AM100 dealer group Pendragon was subjected to a ransomware attack while undergoing discussions for a prospective £400 million takeover. The hackers stole 2TB of data and demanded a $60 million ransom to prevent them from releasing it[2]. Although the deadline expired without the data being released, the buyers walked away.

In addition, cyber security often has a significant impact when it comes to the value of a company. For example, earlier this month, cloud computing company Rackspace suffered a catastrophic ransomware attack resulting in a hosted Exchange email outage — which is still ongoing — and at the time of writing has led to a 30% drop in its share price[3]. Understanding the maturity of a company’s cyber security posture is therefore a useful tool when going into negotiations, which means the implications of failing to conduct thorough cyber security due diligence can be serious.

Every business has unique cyber risks that should be evaluated, so an independent review of the target’s security posture against a recognised framework will ensure stakeholders have a full understanding of any potential cyber security risk — as well as the steps required to remediate these. As part of this process, there are often three typical concerns to consider:

1. Does the target organisation have appropriate security controls in place?
2. Has the target organisation already been compromised?
3. How can the target organisation be compromised today?

Businesses need to ensure they proactively understand current risks and liabilities along with the future levels of investment — because when you’re buying a business, you’re also buying its liability. And if an organisation is already compromised, that breach will become your responsibility.

Ultimately, security should be embedded in your company’s culture and IT strategy and must therefore be consciously and seriously considered in any decision regarding M&A activity. Working with a trusted partner gives you the confidence that any transaction is completed with full insight and understanding of any risks and liabilities — both for today and for the future. So for total peace of mind, call us today on 03330 11 22 55.

[1] Global M&A volumes hit new record in 2021, overtaking last year’s haul | Reuters

[2] Hedin withdraws £400mn Pendragon bid | Financial Times (ft.com)

[3] Rackspace outage crashes share price; Silent teleport steals data from financial institutions; Open source Cryptonite “accidentally” destroys data. This Week in Ransomware – Sunday, Dec 11, 2022 | IT World Canada News