Thursday, 29 June 2023

Ignoring system vulnerabilities can cause big headaches in M&A.

There’s a lot to think about in a merger or acquisition – assets, liabilities, earnings, terms and conditions, and commitments way into the future. One thing often overlooked is cybersecurity and integration. When that happens, the buyer can end up with an expensive post purchase headache.

And whose fault is it? That part is simple: due diligence isn’t just for the legal issues. Less simple is unpacking the sorts of problems than can come from historic underinvestment in cybersecurity.

A business in the process of being sold may have been experiencing financial difficulty. When times are tight, cybersecurity can seem less urgent than payroll. But when the business changes hands, so does the liability.

Consider these potential risks. Firstly, what will it cost to remedy the security weakness and make the organisation compliant? Secondly, if a breach happened, would the organisation be in a position to respond adequately? Thirdly, is anything under investigation? If so, are fines likely? Fourthly, reputational cost. Are you buying a problem that will soon have your name on it? And fifthly, if you are merging a secure organisation with one that is less secure, could this render the secure organisation vulnerable post-merger?

A couple of examples include a bank selling its life insurance business, which previously has been included in the large bank’s cybersecurity processes. However, once it was sold, the new owners failed to invest adequately in replicating those security measures. This led to a significant data breach that compromised thousands of customers' data and resulted in heavy regulatory fines and reputational damage.

Also, a large e-commerce company acquires a start-up known for its cutting-edge customer relationship management (CRM) application. However, is that application secure and does the team follow secure development processes? Has it been assessed to ensure that it is free from vulnerabilities that could be exploited leading to theft of customer data and personal information?

In the era of the mega breach, it has become clear that data poses a risk in itself. Simply by holding data, the business becomes more vulnerable to hackers. As such, it is important to ask, does the business have data minimisation processes to make sure data is held only when necessary? Is the historical data cleansed? Inadequate data retention policies can put the organisation at risk of new data privacy legislation if they hold data they shouldn’t be holding any more.

Mandatory reporting obligations under the Privacy Act, updated with stronger penalties since the Medicare breach last year, mean there is more scrutiny on cyber breaches by regulators and the market than ever. Customers are now voting with their feet, taking business away from suppliers perceived to be risky from a cyber perspective. As such, being aware of what you are buying into is essential. Making a merger and acquisition decision in an operating environment with limited information is fraught with risk. Risk analysis and risk management become critical.

In the context of mergers and acquisitions, here are four questions you should ask in the deal room before signing on the dotted line:

  1. What percentage of the IT budget is spent on cybersecurity?
  2. Have there been any recent cybersecurity incidents and what action was taken as a result?
  3. What percentage of staff has undertaken cybersecurity training in the past year?
  4. When was the organisation’s last cybersecurity scorecard or maturity assessment?

Lots of questions, yes. But only a brave individual would buy a house without a building and pest inspection. And it would take an even braver one to buy the house knowing it had major structural defects.

A similar approach should be considered ahead of a merger or acquisition.