Cybersecurity Issues Are M&A Deal Breakers

Uploaded on 2016-08-09 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

Even as one-time Internet giant Yahoo is swallowed in a $6.5 billion acquisition, merger and acquisitions (M&A) experts have warned that due-diligence audits of companies targeted for acquisition often reveal cybersecurity risks that compromise compliance and could threaten the merger and acquisition activities.

The warnings come in the wake of research, compiled for West Monroe Partners by research firm Mergermarket, that found 70 percent of acquisition targets had compliance issues and nearly half lacked comprehensive data security architectures.

Audits had revealed an abundance of security issues when companies were closely examined by potential acquirers: fully 37 percent of respondents said they had seen targets prove to be vulnerable to insider threats, with 27 percent lacking a data-security team and 17 percent having weak employee password policies.

A third of respondents said they had previously found inadequate mobile security at target companies, while 30 percent had found problems with local server storage and 20 percent had issues with vulnerable cloud storage.

There is no telling what cybersecurity issues emerged during Verizon's examination of Yahoo's internal systems in the lead-up to the clinching of the deal. However, the massive acquisition is likely to have surfaced more than a few outstanding issues that needed to be addressed.

Such findings can often have a material impact on the terms of an acquisition, with 20 percent of respondents saying they would use such findings to negotiate better terms including a lower purchase price.

“To protect themselves from security lapses, acquirers are turning to vigorous due diligence to examine the IT infrastructure of deal targets,” the report notes. “Diligence procedures are quickly expanding and improving – but many companies continue to identify shortcomings in the process.”

Reflecting this expanded focus, some 77 percent of survey respondents said that the importance of security of data at M&A targets had increased dramatically over the past two years, with the considerable costs of data breaches driving acquirers to take an increasingly proactive stance that can also result in deals being iced if a potential acquirer’s cybersecurity defences aren't up to scratch.

And that, the report's authors concluded, is an all too frequent finding once potential acquirers start digging deep into systems that have often struggled to get meaningful funding in the long term. Yet the presence of cybersecurity issues in and of its own is not a deal-killer; only one-third of respondents said they use the information gained in cybersecurity audits to decide whether to go ahead with the deal.

Rather, the key is to evaluate how much impact those issues will have on the business and how easily they can be remedied; some 47 percent of respondents said they used due-diligence findings to start planning for fixes to the problems they identified.

“It's realistic to expect most M&A targets to have a few cybersecurity issues,” the report's authors concluded, noting that a proper due-diligence exercise must examine “the full gamut of risks” including breach history, specific data threats, problems for integration, and the cost of potential fixes. “The key is identifying them and determining how easily they can be addressed.”

The cost of correcting existing problems after a merger was the most frequently-cited concern about cybersecurity issues, nominated by half of respondents. This compared with 43 percent who were concerned about potential complications for post-merger integration; 37 percent worried about frequent or recent data breaches; 37 percent worried about threats to customer data; and 33 percent worried about threats to business data.

Respondents flagged a lack of cybersecurity staff as a key issue during M&A deals, with 32 percent saying not enough qualified staff had been involved in the due-diligence process during recent deals. This had often increased the cost of getting a newly acquired company up to speed, particularly since acquirers inherited both the infrastructure and the risks and potential penalties that would be incurred from an unforeseen security vulnerability.

“The abundance of new data security tools has made it easier to have cutting-edge technology in place,” the report noted. “But the way in which tools are used and relationships are managed remains paramount when it comes to maintaining sound cybersecurity.”

CSO

 

« Insider Trading: Ukrainian Hackers Accomplice Pleads Guilty
Bio-Electronics: A New Business Controlling Human Organs With Electronic Implants »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Renaissance

Renaissance

Renaissance is Ireland's premier value added distributor of IT security solutions and a leading independent provider of business continuity consultancy.

GFI Software

GFI Software

GFI Software works with System Administrators, IT Professionals and IT Executives to ensure that their IT infrastructures are monitored, managed, secured and compliant.

Gigamon

Gigamon

Gigamon provides intelligent Traffic Visability solutions that provide unmatched visbility into physical & birtual networks without affecting the performance or stability of production environments.

EclecticIQ

EclecticIQ

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services.

Deductive Labs

Deductive Labs

Deductive Labs consulting services help customers with their technology, security and automation challenges.

SAI360

SAI360

SAI360 (formerly SAI Global) provide products and services for enterprise risk management including Governance, Risk & Compliance and Digital Risk solutions.

NEC

NEC

NEC offers a complete array of solutions to governments and enterprises to protect themselves from the threats of digital disruption.

Assertion

Assertion

Assertion secures your collaboration (UC/CC) systems from cyber risks. Enforcing the right set of controls and monitoring them continually brings down risk to acceptable levels.

UNIDIR Cyber Policy Portal

UNIDIR Cyber Policy Portal

The UNIDIR Cyber Policy Portal is an online reference tool that maps the cybersecurity and cybersecurity-related policy landscape.

Visible Statement

Visible Statement

Visible Statement is a computer-based delivery system designed to insure the retention and recall of your most important security training messages.

Pyxsoft PowerWAF

Pyxsoft PowerWAF

Pyxsoft PowerWAF responds to the problem of business cybersecurity. We protect our clients' websites and data against attacks and exploitation of all kinds of vulnerabilities.

Pristine InfoSolutions

Pristine InfoSolutions

Pristine InfoSolutions is a global IT services and Information Security Company focused on delivering smart, next-generation business solutions.

Ridge Security

Ridge Security

Ridge Security enables enterprise and web application teams, ISVs, governments, education, DevOps, anyone responsible for ensuring software security to affordably and efficiently test their systems.

Fullstack Academy

Fullstack Academy

A trailblazer in bootcamp education, Fullstack Academy prepares students for fulfilling careers in tech through our NYC campus, online learning, and university partnerships.

Commonwealth Scientific & Industrial Research Organisation (CSIRO)

Commonwealth Scientific & Industrial Research Organisation (CSIRO)

CSIRO is Australia's national science agency. We solve the greatest challenges through innovative science and technology.

AVEVA

AVEVA

AVEVA has a long history in providing Supervisory Control and Data Acquisition software for meeting complex and evolving automation requirements.