M&A Should Stand for “Mitigate, Not Avoid”
We’ve all read the horror stories over the past several years – the revelation of prior data breach in a target organization led to a massive decrease in the sale price, the unknown/unmitigated compromise led to a subsequent breach in the acquiring organization and massive PR fallout. It rings true to all of us in the business of cybersecurity, because the story really could be any of us. Moreover, from what I’ve seen, there are two truths to most large organizations:
- Bigger = More assets = larger risk surface area
- Growth is often achieved (and sustained) through inorganic growth
Also in my experience, these two things are linked, both in terms of the risk that they expose organizations to, and equally the (often missed) opportunity an acquisition represents – the chance to mandate real change, and if you do it right, before you even inherit the new network.
I had the chance to speak with Randy Sabett, Special Counsel at Cooley LLP, specifically about his perspective on cyber diligence across the M&A pipeline, and the bottom line was that “the massive and public fallout from cyber risk pertaining to M&A is absolutely avoidable by illuminating and managing issues before completing the deal.” And that’s not just from the buy side – as the target organization, this was the opportunity to claim the known skeletons in your closet. While it’s clearly better to deal with issues before, whether network segmentation or patch management, making a clear and accurate attestation to the state of your cybersecurity program and stack goes a long way to the relationship with the soon-to-be parent organization and saves a lot of angst when it comes to the inevitable changes if the sale goes through.
The key is asking the right questions ahead of time – for example, how key corporate IP has been protected – answers to questions such as this can offer both an insight into the risk of that value (likely tied to the broader acquisition hypothesis), as well as potential ideas for your own defensive strategies. Bottom line, getting all of this out ahead of time is good for everyone because it allows you to find solutions that are a good fit for both parties involved. Otherwise, best case scenario, you’re leaving unknown risk to lay in wait, and worst, you’re setting up your new parent company for compromise.
All of this can seem difficult to navigate, but it boils down to this: you can either use discovered risk to manage the dynamic of the merger or acquisition, or wait for it to impact you, on no ones terms, mid- or post-deal.
Pro-tip: If you’re just starting out in adding cyber to your M&A process – if you’re on the buy side, get your questions in early in the diligence process – if you’re on the sell side, make sure you have a firm handle on your “cyber house” – make sure things are in order, and for those things that aren’t, get a plan in place to demonstrate that the risk is in the process of mitigation.