Cybersecurity assessments need to play a greater role in M&A due diligence, say experts
Cybersecurity issues threaten more than half of merger and acquisition (M&A) deals, a new study has revealed.
The finding forms part of Forescout Technologies’ new cybersecurity risk survey, which looks into the role of cybersecurity in M&A due diligence.
In total, some 53 per cent of senior decision makers report their organisation encountering a “critical” cybersecurity issue or incident during M&A negotiations which put the deal at risk. The majority of these related to undisclosed data breaches, with 73 per cent of respondents agreeing that a concealed data leak is an “immediate deal breaker”.
Likewise, respondents said cybersecurity concerns discovered after completion of a deal would have been factored into the cost of the transaction, or would have led to the dissolution of the deal, had they been found earlier.
However, the research – which surveyed more than 2,700 business leaders across the UK, the US, Europe and Asia – also reveals that only 36 per cent of respondents “strongly agree” that their IT teams are given adequate time to review a target’s cybersecurity standards.
This indicates that discovering cybersecurity issues after completion of a deal may be a self-made problem, as senior decision makers race to get the deal across the line.
Worryingly, however, just 37 per cent of respondents “strongly agree” that their IT team have the skills necessary to conduct a cybersecurity assessment for an acquisition. Due to this, businesses often rely on incomplete cybersecurity audits or rely on expensive outside talent.
Commenting on the study, Julie Cullivan, chief technology and people officer at Forescout, said: “M&A activity can be a game-changing moment in a company’s history, but recent breaches shine the spotlight on cybersecurity issues and make one thing abundantly clear: you don’t just acquire a company, but you also acquire its cybersecurity posture and a potential trojan horse.
“Cybersecurity assessments need to play a greater role in M&A due diligence to avoid ‘buying a breach.’ It’s nearly impossible to assess every asset before signing a deal, but it’s important to perform cyber due diligence prior to the acquisition and continually throughout the integration process.”