Big merger and acquisition proposals trigger intense examinations of the benefits and risks of the deal from both sides—valuations, assets, legal liabilities, operational risk exposures, and compatibility, among others. However, it is also critical that companies elevate another factor to the top of the priority list: their cyber risk exposure. The pending acquisition of Starwood Hotels and Resorts Worldwide by Marriott International, recently approved by the companies’ shareholders, puts this issue in the spotlight. Both Starwood and some of Marriott’s franchisees have suffered data breaches within the past couple of years.
Merger and acquisition deals always carry some level of risk. Companies inherit each other’s problems, such as pending lawsuits, poorly manufactured products, or regulatory violations. Cyber-related problems are also on that list. Yet, even as more companies continue to fall victim to data breaches, cyber risk tends to sit pretty far down on the list during the due diligence process.
According to Dealogic, 2015 was a landmark year for total U.S. targeted M&A deals, with volume surpassing the $2 trillion mark for the first time. As the upswing continues, companies need to treat cyber risk just like any other risk. If company A merges with company B, and company B has significant exposure to a potential cyber-attack, the combined organization will also be exposed to that risk.
For example, if company B has an unsecure e-commerce application that’s been exploited by a criminal, the criminal can also access company A’s network, including its most sensitive data. If criminals planted malware on company B’s network, company A will also be exposed to the malware once the two are combined. If company B poorly manages its perimeter, it’s easy for a criminal to break in from the outside, and company A faces that same threat.
Those are examples of technical risks; there are also financial risks. If company B is at risk of losing ten million dollars because of a poorly secured e-commerce application, that affects its valuation and acquisition price, and not just to the extent of ten million dollars. If there is a breach after the M&A deal goes through, it could cause an even greater combined financial loss. Such a breach would also damage company A’s reputation. If company B faces a civil lawsuit due to a data breach, company A may have to pay for the damages.
The actual process of integrating two companies’ networks also carries a high level of cyber risk. During the M&A transition, there is a lot of change, activity, and distraction. With employees feeling insecure about their futures, the risk associated with insider threats is significantly increased. The two companies typically have different technical platforms, processes, and procedures. As soon as the transaction is completed, it is critical to be able to manage the cyber risk of the combined entity as holistically as possible. Integrating those elements alone is a challenge. Managing security along with it is even more difficult.
Before, during, and after an M&A deal, companies must do their due diligence regarding cyber risk just as they would for other financial and operational risks. Cybersecurity should not be any less of a priority than anything else. Acquirers should evaluate the cyber risk posture of the company they are acquiring, find its vulnerabilities, and mitigate them before the deal goes through. After the deal closes, the company should maintain a comprehensive view of the combined entities to make sure its cybersecurity is being managed properly.
While Chief Information Security Officers (CISOs) are mainly responsible for managing cyber risks during the M&A process and beyond, that doesn’t mean that no one else needs to worry about it. Cybersecurity should be everyone’s business, from board members to interns. CISOs quarterback the cyber risk M&A process; everyone else runs with it.