Had cybersecurity problems been factored into negotiations in a merger and acquisition (M&A) deal, the buyer may have backed out or altered the agreement if the repairs cost too much, a new study found.
Security provider Forescout’s new report, entitled The Role of Cybersecurity in M&A Diligence, showed cybersecurity’s prominent place among the main factors that influence and shape M&A due diligence. Indeed, the data indicated that cybersecurity concerns discovered following a done deal prompted nearly two out of three buyers to regret the transaction. A major case in point is Verizon's $4.5 billion deal to buy Yahoo in 2017 that saw a $350 million price cut owing to the search giant's massive security breaches.
To compile the study’s data, Forescout surveyed some 2,700 IT and business decision makers in Australia, France, Germany, India, the U.K. and the U.S. on the importance of cyber assessment during M&A deliberations and the subsequent integration process. More than half of the respondents (53%) said their organization had encountered a critical cybersecurity issue or incident during an M&A deal that jeopardized the pact. Some problems were serious enough to prompt buyer’s remorse, according to 65 percent of those surveyed.
Cybersecurity is something decision makers need to heed, said Julie Cullivan, Forescout’s chief technology and people officer. It can stop a deal in its tracks or cause major financial losses later on, she said. “You don’t just acquire a company, but you also acquire its cybersecurity posture and a potential trojan horse,” said Cullivan. “Cybersecurity assessments need to play a greater role in M&A due diligence to avoid ‘buying a breach.’ It’s nearly impossible to assess every asset before signing a deal, but it’s important to perform cyber due diligence prior to the acquisition and continually throughout the integration process.”
Some of the study’s other key findings:
- 36% of respondents strongly agree that their IT team is given adequate time to review a targets’ cybersecurity standards, processes and protocols before completing an acquisition.
- 81% of IT decision makers (ITDMs) and business decision makers (BDMs) agree that they are putting more focus on an acquisition target’s cybersecurity posture than in the past.
- 53% of ITDMs say they find unaccounted devices, including IoT and OT devices, after completing the integration of a new acquisition.
- 73% of respondents agreed that a company with an undisclosed data breach is an immediate deal breaker in their company’s M&A strategy.
- 37% of ITDMs strongly agree that their IT team has the skills necessary to conduct a cybersecurity assessment for an acquisition.
"Cyber assessment may be viewed by many as a point-in-time exercise," Cullivan wrote in a blog post. "It is absolutely critical that the assessment of a target company’s cyber posture and the evaluation of potential vulnerabilities start from the very beginning of the M&A process and continue through integration and post-integration." Still, no matter how thorough a buyer's cyber evaluation, it "can only go so deep until the transaction is complete and the acquiring company has full access to the target company’s network, hardware, software, and other assets," she said.