When it comes to M&A transactions, whether you are buying or selling, the use of consultancy firms for financial due diligence is a prerequisite that you cannot do without. But cyber issues can also come into play at every stage of your deal. Here are the reasons why you should anticipate them upstream and incorporate them more systematically into your transactions.
According to a study by (ISC), almost half of the companies involved in a transaction have seen the deal fail because of flaws that were not disclosed at the time of the deal. How can you manage this risk at every stage of the deal, whether you are a seller, buyer or investment fund?
1- Pre-deal phase
In the pre-deal phase, the crucial question is valuation: 82% of investors say that the stronger a company's cybersecurity infrastructure, the higher the estimated value of the organisation ((ISC)² "Cybersecurity Programs Shown to Have Tangible Value in M&A Assessments").
When you are buying, the value of the target is the subject of a large number of multi-disciplinary assessments (finance, HR, IT, etc.) and discussions. But it is essential to include the cyber dimension in your due diligence. These cyber due diligences will assess the solidity and security of the IT infrastructure - does it hold up? Does the company under review have good cyber security hygiene? Has it already been attacked? If so, how did the company react to these cyber security incidents? Are there any known or as yet unidentified vulnerabilities? The more precise this assessment is, the better it will enable potential buyers to obtain a clear view of the target and determine its value. As a pre-requisite, a cyber assessment prior to the transaction, which is based on Open Source Intelligence (thanks to tools such as Threat Watch in particular) and which goes further than just declarations, helps to avoid certain pitfalls. This assessment also helps to estimate the losses that could be incurred as a result of the vulnerabilities identified, or even those that could compromise future operations or activities, and therefore, ultimately, to refine the value of the target studied. Without this, the major risk for the acquirer would be to inherit a significant technical debt, by integrating a business that endangers the existing business. Without cyber due diligence, you also run a major reputational risk, as you could be acquiring a structure that has already been the target of attacks.
When you're up for sale, it's also a question of valuation, because the aim is to maximise the value of the business being sold. Knowing your vulnerabilities well in advance of the deal, those that could represent a real loss of value or that could be exploited during a separation, enables you to prioritise, mitigate or correct them.
2- During the transaction
During the transaction process, the two entities involved, whether buying or selling, become more visible on the market and are more exposed to cyber risks. The transaction may be accompanied by uncertainty and instability. In this context, the company becomes more vulnerable and prone to attacks (leaks of sensitive data on the market compromising the transaction). It is therefore highly advisable to worry about your company's cyber health well before the deal, and to strengthen it before the deal is a prerequisite.
3- Post-deal phase
Once the deal has been signed, cyber checks can still prove very useful. In fact, when it comes to PMI (Post Merger Integration), the IT and cyber security dimensions should not be neglected, because poor preparation before the integration can once again have a negative impact on the success of the deal.
When you integrate the business, it may be worthwhile to take the analyses carried out on the target during the preparatory phase one step further. Indeed, before the deal is contracted, the analysis is generally based on open source data. However, there are tools available that analyse in detail any compromises to the information system of the business being purchased, thereby ensuring that the IS is compliant before integration.
When you separate yourself from your business, and in the particular case of a carve-out, the operation generates transience accompanied by a form of insecurity. In essence, this is what CISOs want to avoid at all costs. It is therefore essential to anticipate, measure, manage and steer the cyber dimension of the operation. Your cybersecurity approach is therefore more crucial than ever, because in doing so you are securing your remaining assets, ensuring that data is watertight and preserving the integrity of your business.
When the information system is the keystone of your business, or that of the business being acquired, and whatever the field of activity or the size of the operation, cyber security becomes an imperative.
As an M&A director, you have every interest in working hand in hand with your CISO, from the preparatory stages and throughout the deal continuum, to make security a factor in the success of your M&A operations.