53% of surveyed organizations report they have encountered a critical cybersecurity issue or incident during an M&A that put the deal into jeopardy, according to ForeScout (“The Role of Cybersecurity in M&A Diligence“). As such, visibility into key risks and determining actionable priorities are critical components of the Mergers and Acquisitions (M&A) lifecycle.
Although the role of cybersecurity in M&A, especially during ‘due diligence’ is nothing new to the industry, it is too often seen as a check-box activity, leaving many issues underestimated, unidentified, or even unseen. Today, threat actors are increasingly targeting M&A announcements themselves, or indicators of a potential transaction – to extract leverage – using leaked deal data, phishing schemes, and ransomware to exploit periods of organizational transition and distraction.
Now more than ever, organizations must proactively evolve their cybersecurity strategies, rebalancing due-diligence approaches and strengthening countermeasures to keep pace with a rapidly growing and increasingly sophisticated threat landscape.
The Pace of Chance
As the risk and threat landscape has significantly evolved in recent times, approaches to gain risk visibility and assess business level impacts for M&A has fallen behind. These must steadily evolve to position success and manage risk liabilities that are increasing in impact magnitude, with impacts spanning beyond cyber breaches into large scale reputational damage, costly legal affairs, and impacts to market capitalization for public companies as highlighted examples.
Some notable and issues warranting heightened concern include:
- The broadening span of workforce risks.
- Threat actors intentionally targeting the M&A transaction lifecycle.
- Third Party and Supply chain ecosystem complexity (data and operational).
Change Influencers
At a macro scale – heightened geopolitical tensions and geostrategic influences are placing certain industries and demographics at increased risk. This is often the realm of nation state actors or their ‘professional’ affiliates.
Impacted organizations may include:
- Organizations with operational components or intersections to Energy, Manufacturing, and Research.
- Intellectual capital is at greater risk, since partial theft of ideas and concepts augmented with AI technologies may be developed quickly into a commercially usable form – impacting markets and the competitive landscape.
- Organizations that can be regarded, regardless of industry, as fuel to the ‘national economic engine.
Key Areas to Consider Enhancing:
1. Data Ecosystem
Leakage and Exfiltration:
- Whilst many organizations have tight controls for merging a target’s infrastructure, there is often a gap to assessing what might have occurred pre-transaction that represents future risk liability.
- Standardizing Potential Risk Indicators (PRIs) over time – which may include patterns of security risk prior acquisition announcement vs. post. In this example, a range of compliance obligations may be impacted, such as PCI, GDPR, and more.
- Threat actor leverage can be obtained previously and used into the future for deeper reconnaissance potential through executive protection risks and broader cyber events.
Shadow IT, and Assets in an ‘under managed’ and/or ‘under configured’ state:
- Although most integration plans aim to quickly cut over to replacement technologies, this becomes more difficult with modern hybrid workforces, with disparate locations and potentially remote brick and mortar-based offices.
- Layer 2 and layer 3 devices are often slow to be addressed or not fully disclosed/discovered, elevating time-based risk window increases for threat actor opportunity.
- Often, assets that are not decommissioned immediately create additional digital footprint warranting concern, such as DNS, network configuration artifacts and more – elevating the attack and reconnaissance surface that is assumed to be contained and managed.
Data Boundaries and Operational Processes and Behaviors:
- Business processes of targets are often under documented, which limit an understanding of how data flows and is managed across organizational boundaries.
- Opportunity for fraud can be increased, and a range of insider threats exacerbated. Although there will often be controls to remediate on a go forward basis, the controls cannot remediate past events and incidents, being detected or undetected.
2. Attack Surface and Reconnaissance
- The tactical steps and time to perform cutover provides increased windows to threat actors to discover opportunities, such as vulnerabilities, misconfigurations, or simply control coverage gaps.
- The speed at which reconnaissance now occurs is faster than ever before, and in some cases reconnaissance and threat opportunity identification can outpace security tool detection and security processes to manage a coordinated response.
- Residual attack surface also provides elevated risk of reconnaissance, and irrespective of intent to disconnect or network pervasiveness and/or limit asset connectivity, presents adversarial opportunity.
3. Legacy Debt Accumulation
- Legacy debt is usually thought of as purely a technological issue. However, people, process, and technology combine to represent combined forms of legacy-oriented risks, often compounding existing legacy footprint thresholds for the acquiring organization.
- People: An incumbent workforce brings an array of skills, experience, and culture. Although onboarding usually forms a compliance focus, other behaviors and resulting decisions that can impact security risk.
- Process: Processes combine with both new and old technologies, amplifying risk according to process hygiene and process gaps, the latter elevating issues around standardization and security outcome commonalities.
- Technology: Technology approaching or beyond end of life is just a facet of legacy risk. The more the lifecycle plays out, the less a vendor will invest in that product, including release of features and functions. This elevates compatibility issues and increases OpEx required to keep footprint optimized – and even increasing the number and extent of risk exceptions.
4. Technology Licensing Hangovers
- Many vendors will closely monitor M&A transactions and perform audits as a method of true-ups, account consolidation and fortification, or consumption strategies.
- Rarely are licensing impacts assessed – and may incur financial and risk liabilities for over/under consumption. This can be highly distracting for operational teams to address with audits, and place vendors in a position of strength for contract negotiation.
- Even if there is consumption equilibrium, a review can help determine pricing thresholds, terms, and conditions, which can inform vendor strategies going forward without implicating attack surface and security investments pathways. Taking advantage of different licensing metrics may also provide cost optimization opportunities when coupled with procurement intelligence and market analysis support.
5. The Role of The Security Tech Stack
- Having a security tech stack that permits controls coverage deployment at speed is more critical than ever. This can occur with a phased approach according to risk priorities but may be challenging when not dealing with a localized footprint (multiple geographies).
In conclusion:
In today’s rapidly evolving threat landscape, cybersecurity is no longer optional in M&A—it’s mission-critical. Organizations must move beyond checkbox due diligence, proactively identifying and addressing risks before they can jeopardize a deal. Only by rebalancing strategies and strengthening defenses can companies protect deal value and emerge more resilient in an era defined by digital risk.
In closing:
- Keeping your M&A Program current with the ongoing evolution of security risks and threats is critical to securing your organization, and managing liabilities that can grow overtime into costly endeavors to solve. Ensure cross organizational stakeholders are aligned.
- At AccessIT Group, we partner with a range of organizations to create meaningful outcomes to reduce and remediate risks across all stages of the M&A deal lifecycle, thinking differentially to out anticipate and out-maneuver threat actors.
- Reach out to us if you wish to hear more about turning your risks into opportunities within your M&A Program and beyond.
