Why Mergers & Acquisitions Are A Favorite Cyber Target

 

Well, Happy New Year everybody!!!  It is so hard to believe that 2021 is already over, and that we are now starting 2022.  As I have told my clients and prospects, 2021 is the year that has gone by the fastest for me.  Hopefully the New Year will ring in prosper and happiness to everybody’s life.  But one thing won’t change and that is the Cyber Threat Landscape. 

Quite surprisingly, there have not been as many news headlines this year as in previous ones about what 2022 will be like.  Perhaps everybody assumes that it will be the same or worse?  Eventually sometime in the next week or so, I will put up on my thoughts on this as well. 

But one thing that did catch the news headlines was all of the Merger and Acquisition (M and A) activity that took place last year, in 2021.  It seemed like just about every day some deal was happening, or there was a Cyber company that was in the round of getting some sort of VC or Angel Ingel Investor funding.

This was all despite the COVID19 pandemic still going on, with new variants coming out (primarily that of Delta and Omicron), and causing some turmoil on the markets.  It is expected that this trend will continue into 2022, as some of the larger Cyber vendors gobble the smaller ones, and as the latter joins forces with other smaller entities.

In a way, this reflects a strong economy, but also it reflects that perhaps research and development/innovation could be slowing down as well.  This makes sense to a certain degree, after all why spend the time to come up with something new, when you can just buy the Intellectual Property from another company by simply buying them out, and then branding that as your own?

Whatever the case may be, M and A activity in the Cyber world is now starting to become a growing threat surface for the Cyberattacker. 

In fact just in 2021, there has been an almost 500% increase in the total number of Ransomware attacks.  It is believed that a good chunk happened to those companies that were in the middle of a buyout.

Why would the Cyberattacker take advantage of this kind of prey, you may be asking?  Well, both entities (the buyer and the buyee) are both in a state of flux, with confidential information and data being shared amongst one another, buy out details being finalized, etc. 

In other words, there is now an increased level of vulnerability as pretty much everybody in the C-Suite has their guard down, especially the CISO.

So if anything, this is the time where everybody’s guard must be up, because it is so hard to tell what is real and what is not in today’s digital economy.  Although there is no magic bullet that shield this vulnerability from occurring, there are steps that both sides can take to mitigate the risk of becoming a victim of a Ransomware attack.  So, what are they?  Here we go:

1)     Both sides should be Cyber ready:

During the initial talks of the Merger and Acquisition activity, both sides of the C-Suite (especially the CISOs) must assess each other’s Cyber Risk profile.  There must be an equal plane between both parties, and if not, it has to be leveled out to the satisfaction of both sides.  In other words, one cannot be greater than the other.  Once everybody is content with this, then the talks should continue.  If there is still a mismatch, then the talks should be halted until this is resolved.  After all, you are dealing with some pretty serious stuff here:  Intellectual Property, the PII datasets of employees and customers on both sides, market intelligence, etc.  The worst thing you want to happen is news breaking out of a security breach just right as a deal is about to close.  Also, communication is very important during this phase, so make sure that the IT Security teams on both sides of the fence are kept aware of what is happening of any adjustments that need to be made.

2)     Have all documentation in place:

By this I mean that all of the Incident Response/Disaster Recovery/Business Continuity Plans must be ready to be enacted if a security breach happens during Merger and Acquisition negotiations.  Both sides need to have these documents in place, and they have to be well rehearsed so that everybody knows what they need to do, with no minute of hesitation.  A great thing to do here would be to hold a mock simulation exercise of a security breach where the IT Security teams from both parties work together to stop the attack from happening.  Not only will this test the readiness of both sides, but it will also show any weaknesses which need to be resolved first before the actual can take place.

3)     Try to show a strong image:

With all of the information that is available on the Internet today, and especially through the Social Media sites, the Cyberattacker of today can build a profile of not just individuals, but of business entities as well.  They take their own sweet time to do this, and once they find a weak spot, they will make their move. And keep in mind that this is all done with publicly available information.  So therefore, both sides need to portray that image that their lines of defenses are strong, and that nobody involved in the transaction is a soft target.  Also, the CISOs on both sides (as well as the others that are involved) need to be very careful what is posted in the public domain.  The best advice here would be to post as little as possible, until the actual deal is signed, and done.  In this regard, it may well be worth the expense to even hire an outside Public Relationship firm that specializes in Cybersecurity to help out with this process.

My Thoughts On This:

I have to be honest, in all of the writing that I have done, it never occurred to me that a Merger and Acquisition activity could also be a target.  But now it makes sense.  As mentioned, the very worst thing you want to happen is for a Cyberattacker to make a muck of things during the deal making process. 

If they do steal stuff in this phase, most likely, they will end up selling it on the Dark Web.

The end result of this is just bad publicity for both sides, and especially for the buyer, it could mean that the value of your target company could also tank in value, especially if it is a publicly traded company, as Earnings Per Share (EPS) could take a huge it. 

So, it is very important that both sides make sure that everybody is on the same page in terms of Cybersecurity before any deal making talks continue.