Mitigating cyber risks in mergers and acquisitions

Acquisitions can be a major threat to security. Take the example of the recent Dropbox data breach, which is a classic case of “ breach by acquisition ”, according to experts.

It’s a common theme. All too often, an organization will onboard a new service or product and fall victim to unknown vulnerabilities. In the case of Dropbox, the culprit was its e-signature service, Dropbox Sign, which it acquired as HelloSign in 2019.

In 2018, Hotel chain Marriott admitted an unknown third party had illegally accessed its Starwood reservation database. Its 2016 acquisition of Starwood had left the hotel giant at risk, after it it failed to update the old reservation system, leaving it vulnerable to malware and data breaches.

Security oversights such as these can lead to huge repercussions, including regulatory fines. In 2020, Marriott was fined $23.8 million (£18.49 million) for failing to update Starwood’s IT infrastructure.

When Yahoo acquired Verizon in 2016, it faced legal scrutiny from the US Securities and Exchange Commission (SEC) over failure to disclose two data breaches that had taken place in 2014. “The fine was in the tens of millions, but the reduction in acquisition cost was even greater,” says Sara Boltman, founder at Butterfly Data.

Cyber security risks posed by mergers and acquisitions

The security risks associated with acquisitions are complex. Issues can be exacerbated by the “daunting task” of merging different security infrastructures, which can create gaps exploitable by cyber-criminals, says Mark Allen, CFO at Everything Tech Group. “Additionally, there is the challenge of bringing organizational cultures and practices around cyber security together, which if not managed carefully, can lead to inconsistencies and weaknesses.”

Outdated, legacy systems and unpatched software can add to problems for the acquiring company, says Todd Renner, senior managing partner in the cyber security practice at FTI Consulting. “These potential issues can lead to disruption of business operations, damage to company’s reputation as well as regulatory scrutiny and costly litigation.”

Criminals often lie in wait for attack opportunities involving acquisitions. Jaco Vermeulen, CTO at BML Ventures, worked on a transaction last year where the target company faced – and thwarted – an attack within an hour of the acquisition announcement.

He describes how the acquisition itself can raise immediate security risks. “Companies can be at risk from phishing attempts using now public information such as executives’ information to request actions by employees who aren’t in the know.”

Martin Jartelius, CSO at Outpost24 describes how his company has observed several cases where the actual acquisition triggered targeted attacks. “It can result in CEO and CFO scams, as there is now an inherent uncertainty about mandates and validations between parts of the organization.”

It's important to note that once the acquisition is complete, the buyer is ultimately responsible for the security of the company subject to appropriate protections in the corporate documents, says Lauren Wills-Dixon, senior lawyer and data privacy expert at law firm Gordons. “Therefore any ongoing security issues will become the buyer’s burden.”

The due diligence process of establishing the value of data held by the company being acquired often takes months and can uncover a host of problems hidden in plain sight, says Boltman. This can include historic non-compliance with data protection laws and even previously undeclared data breaches. “For the acquiring company, this can have repercussions in terms of how much risk they are willing to take on – and it may reduce the price they are willing to pay or derail the merger altogether.”

Overcoming acquisition risks

The challenges are clear, but it’s possible to avoid major issues by preparing before the acquisition takes place. Conducting detailed security and data protection audits to help identify any vulnerabilities and compliance issues is “crucial”, says Rob Cobley, commercial partner at Harper James. “You should also evaluate potential risks to data security and privacy posed by the acquisition and ensure contracts include clauses mandating adherence to security and data protection standards.”

To mitigate the risks, companies must prioritize cyber security throughout the acquisition process, says Allen. This involves conducting thorough security assessments of the target, involving IT and cyber security teams early on, and ensuring a strategic approach to integrating technologies and cultures, he advises.

Before the acquisition takes place, Allen advises conducting a pre-deal security assessment. “Conduct a thorough security evaluation beyond desktop research. Implement comprehensive penetration tests , vulnerability scans and review historical security practices to identify any pre-existing compromises. Ensure this assessment is continuous – not just a one-time snapshot – to account for changes during the transaction period.”

Immediately after the deal, assess the acquired entity's network, system, tenant, and device security, says Allen. “Establish a baseline of cyber security health and hygiene to identify any urgent risks or issues that need addressing before integration.”

Developing a robust integration plan is “essential” to ensure seamless system migration and align organizations and their employees with security best practices, Renner advises.

For a secure integration process, carefully manage identities throughout the merging of networks, applications, databases, directories, and email platforms, says Allen. “Monitor changes to access rights and permissions closely, and vet new personnel thoroughly to ensure they meet the security standards of the organization.”

This can help prevent identity-based cyber attacks , which can arise from poor management of user permissions and losing track of which employees have network privileges.

Cyber strategies for mergers and acquisitions

Firms should be conducting a thorough cyber due diligence process, increasing investment to bring the newly formed company in line with the benchmark for their industry, says Lorenzo Grillo, managing director at Alvarez & Marsal. He advises keeping incident response and recovery processes up to date post-acquisition, which can “significantly reduce the likelihood of incidents post-acquisition”.

An overview of how the threat landscape is evolving

In addition, businesses need to align the target company's data protection policies with their own to ensure compliance and maintain clear communication channels between both parties' IT and data protection teams , says Cobley.

Even after the acquisition is complete and the company is integrated, security is an ongoing project, which needs to be maintained. “Conduct periodic audits to ensure compliance with data protection regulations and provide ongoing training to employees on data protection practices and policies ,” says Cobley.

After integration, firms should continuously monitor the combined entity for any security issues, Allen says. “Be prepared to adjust security measures as needed to address new threats and vulnerabilities that may arise from the integration of the two organizations’ systems and operations.”