Cybersecurity teams play a critical role in merger and acquisition transactions. Mergers and acquisitions (M&As) are significant business events that involve two or more entities combining their ownership, operating units, organizational and technological systems, and data. They require time, planning, processes, and due diligence. Cybersecurity should be top of mind in any M&A strategy to help businesses avoid unforeseen threats, ensure compliance, and protect a deal's value.

Mergers and Acquisitions

In a recent survey by Forescout, 62% of participants agreed that their company faces significant cybersecurity risks by acquiring new companies; they also listed cyber risk as one of their biggest concerns post-acquisition. Based on that study alone, it’s no surprise that nearly 60% of firms going through an M&A transaction in 2022 considered cybersecurity posture a critical part of their due diligence processes.

Mergers and acquisitions often require complex processes, multiple forms of change management, and cybersecurity due diligence before and after the transaction to ensure success and mitigate potential vulnerabilities post-transaction. Cybersecurity risks are growing exponentially, making an offensive security risk assessment a necessary and crucial step during a merger or acquisition. Year-round continuous penetration testing, driven by both automation and human testers, is not only the most thorough way to assess and identify risks and stay informed, but it’s also the best method for accelerating time to discovery during the vast business changes that take place.

RISKS OF MERGERS & ACQUISITIONS

Uncovering a weak security posture and existing threats is essential to prevent inherited vulnerabilities in an M&A transaction. Below, we have outlined common and less common risks to consider with mergers and acquisitions below.

Common Security Risks

  1. Technology/Digital Disruption
  2. IT & Interpersonal Resiliency
  3. Social Engineering
  4. Data Security
  5. Deal Execution

1. Technology/Digital Disruption

Integrating technology and inherent disruption during mergers and acquisitions can mask vulnerabilities or unusual activity on systems that would otherwise be identified as malicious or unauthorized. It's essential to have complete visibility into an attack surface and to understand inherited policies, personnel roles, equipment, and procedures before making rapid changes to ensure sensitive data remains protected and reduce disruption of day-to-day operations as much as possible.

2. IT & Interpersonal Resiliency

IT changes may be significant and unable to coincide. Security risks usually present themselves during the initial period of change. IT teams are the real champions of an M&A endeavor—they are typically over-burdened and have to navigate incompatibility and scaling issues as they learn more about inherited, legacy systems and processes and begin to unite them with new technologies. Personnel may feel overwhelmed by integration tasks required for day-to-day operations, which could put security-related functions on a lower priority. Other common IT security compromises include changing personnel, understaffing issues and/or staff burnout, sensitive data exposure, ransomware, and reduced functionality of business processes.

3. Social Engineering

New hires or people reporting to new managers in the acquiring company can easily fall prey to social-engineering style attacks due to unfamiliarity with company reporting lines and hierarchy. Social engineering uses psychological manipulation to trick users into making security mistakes and/or giving away sensitive information. There are three primary types: impersonation (or spoof emails), account compromise, and thread hijacking. According to IBM’s 2023 Cost of Data Breach Report, data breaches initiated through social engineering techniques averaged costs over $4.5M. A few of the most common social engineering attacks include phishing, spear phishing, baiting, pretexting, scareware, and watering hole attacks.

4. Data Security

Risk exposure is high during the transition phase for both (or all) acquiring and target organizations involved—as two (or more) sets of critical data are at stake. The acquiring company must determine the cybersecurity posture of the target to fully understand what’s at stake and to mitigate the risk of a data leak or breach.

5. Deal Execution

Buyers and sellers can expose themselves to known and unknown cyber risks when negotiating deal terms. Appropriate use of warranties and indemnities can assist with transferring risk or any cyber incidents to mitigate critical risks before capital is released.

Less Common Security Risks

  1. Dormant Threats & IoT
  2. AI Threats
  3. The 5G Network & Technology

1. Dormant Threats & IoT

The acquired infrastructure may have hidden or dormant cybersecurity threats within its systems, such as malware or access management issues. The heightened use of IoT (Internet of Things) devices and connectivity, such as smartphones, watches, refrigerators, medical sensors, fire alarms, door locks, etc., increases attack surface. A higher amount of connected devices can also increase the chances of devices getting overlooked and missed in integration and security assessments. Forescout’s recent study found over half (53%) of Information Technology Decision-Makers (ITDMs) say they find unaccounted-for devices after completing the integration of a new acquisition. Ultimately, every unvetted IoT device should be considered a serious risk to information security.

2. AI Threats

Artificial Intelligence (AI) is rapidly evolving and integrating into the fabric of life and society today. Though there are many benefits, including increased efficiency and decision-making, there are also just as many cybersecurity risks. If a comprehensive approach to AI security isn’t taken, AI systems can be permeable and manipulated or make decisions that harm organizations and individuals. Organizations must adopt strong security policies, regular audits, and employee training programs to ensure their AI systems are fully transparent and ethical.

3. The 5G Network & Technology

5G, or the 5th generation mobile network deployed worldwide in 2019, offers increased speed and capacity than older generations. These networks enable the deployment of many devices in a smaller geographic area, which increases the risk of coordinated cyber attacks. Advanced offensive security measures such as continuous penetration testing, encryption and firewalls, and implementing robust security policies and employee education programs are all worthwhile investments for organizations to acknowledge and address these risks.

Why Continuous Offensive Testing Is Needed For An M&A

An M&A may take months or even years—which is why managing cybersecurity and informing risk need to be an ongoing process throughout the entire M&A lifecycle. Offensive security and continuous penetration testing allow the acquiring company to remain informed of any IT risk changes by uncovering weaknesses and vulnerabilities within the target organization’s network security and attack surface. Continuous penetration testing provides tests run by humans to confirm whether specific changes are good, bad, or indifferent—and informs whether or not various assets (technology, personnel, etc.) are at risk of a vulnerability that a hacker could exploit.

Poor cybersecurity can lead to higher costs and exposure to critical risks, which can take longer, slow the acquisition process, and ultimately jeopardize a deal. Proactive risk management can put acquiring businesses in a better position to make informed decisions and build a more extensive bottom line.

Gauge technical debt and any significant changes to assets or infrastructure during a merger or acquisition by assessing, managing, and staying informed of risk with Sprocket Security’s Continuous Offensive Security Platform. Save money in negotiations and financial loss prevention by avoiding acquiring high-risk assets.

Learn more about Sprocket Security.