Why cyber security matters in mergers and acquisitions (M&A)
Posted on 5th July 2024 at 14:28
By Dom Hardman, Cyber Security practice lead and CISO at Iridium
In today’s world of interconnected, technology-driven global commerce, mergers and acquisitions (M&A) serve as vital catalysts for growth, innovation, and competitive advantage. These transformative transactions enable companies to rapidly scale, access new customer bases, and enhance their technological capabilities.
The global M&A market has faced a quieter period over the past 12-18 months, impacted by a tough economic backdrop characterised by high inflation, increased interest rates, and reduced business confidence, which limited major investments. As we progress through 2024, signs of easing economic constraints are evident, and we expect to see increased M&A activity despite the subdued global deal volumes in H1. According to the ONS, Q1 2024 has already shown some green shoots particular in outward M&A (UK companies acquiring foreign companies) which was over 20% (£0.9 billion) higher than in Q4 2023. We have also seen average deal sizes increase and there is widespread anticipation that H2 will show an increase in activity volumes, with cross-border M&A activity earmarked for potential growth. But is the business world ready?
Amidst this resurgence, the importance of cyber security has never been more critical. Mergers and acquisitions involve not only substantial financial commitments and operational integrations, but also expose businesses to heightened cyber risks. Understanding the value of a trusted partner with experience not only of these larger transactions, but also global complexities, is essential.
During my career, I have been accountable for cyber security for over 25 major M&A deals, including £multi-billion international acquisitions, and I have seen, first-hand, the need for an effective cyber security strategy embedded into the M&A lifecycle to protect investments and maximise returns.
Normalising the cyber conversation
At Iridium, when we talk about 'normalising the cyber conversation,' we mean recognising the positive potential of cyber security and understanding how it can drive business growth.
Rewind 20 years, and cyber security wouldn't have been a consideration when identifying targets for investment or acquisition. These days, no business can afford to take this approach, or they may jeopardise the transaction by overlooking key risks and potentially incurring significant costs. M&A activity inevitably expands the attack surface of a business and increases the risk exposure of both companies involved. Worse still is the prospect of inadvertently ‘buying a breach’, where the target business is unknowingly compromised at the point of purchase, which then poses material technical, legal, financial and reputational risks to the acquiring entity as the businesses are subsequently integrated.
Secrecy and security are not the same thing…
Merger and acquisition activity is, by its nature, very confidential. Bid and deal teams are often small and specialised, working under strict NDAs and with a degree of detachment from everyday business operations. Keeping M&A activity confidential is important; premature leaking of bid activity can prevent a deal from proceeding or materially increase the price as other potential bidders are alerted. There are frequently regulatory and legal frameworks under which M&A activity must take place, all of which are designed to ensure that transactions not only comply with competition law, but also uphold best practices and safeguard all parties involved.
However, even within this context, few businesses would embark upon M&A activity without representation from finance or legal experts on their bid teams, and I believe that cyber security expertise is an equally important requirement for successful, well-executed M&A activity. The overarching goals being that investment cases are accurate, costs are properly understood, and executives can make informed risk-based decisions about potential purchases and investments. Working with the right cyber partner can demystify cyber security and ensure businesses can identify, mitigate, and communicate cyber risks alongside other, more traditional threats to growth, revenue, and profitability, enabling the navigation of the global threat landscape, where the direction of travel is becoming ever more complex and challenging.
Are cyber criminals tuned into companies undergoing a period of transition?
The merger and acquisition lifecycle is vulnerable to inherent cyber threats originating from various sources and trigger points. Beyond the overarching risk of 'buying a breach,' there are numerous cyber security challenges throughout every stage of acquiring, integrating, or investing in a business.
Those who monetise attacks on businesses are often referred to in news coverage as 'hackers,' but the preferred term, is 'threat actor.' These threat actors, typically operating in structured groups with clear, profit-focused goals, diligently monitor news feeds, use dark web sources for intelligence, and gather details on potential victims.
During periods of transition, such as M&A, when executives are primarily focused on negotiations, corporations become vulnerable. Threat actors can exploit this distraction as a tactical opportunity to launch attacks. Confidentiality in M&A transactions offer only limited protection, as sophisticated and experienced threat actors can often detect signs of activity or can simply target companies well known for their history of inorganic growth and frequent M&A activity. My view is that the assumption your M&A activity is secure because it is not in the public domain can lead to a false sense of protection.
In my experience, many in-house cyber teams lack the specialist expertise in M&A processes or the resources to do so alongside their critical daily responsibilities of securing and protecting the enterprise from cyber threats. Providing teams with the necessary time and resources to support M&A activities is essential to identify potential weaknesses that could undermine successful investments. Maintaining and, where possible, improving your cyber posture before, during, and after M&A activity is crucial, and will benefit greatly from partnering with external experienced cyber security teams. Having experience in both in FTSE 100 and Fortune 500 M&A activity and as one of only two foreign nationals to serve on the Board of Directors for the US-based National Technology Security Coalition (NTSC) I am confident in our ability to provide a global perspective.
Choosing the right partner
When choosing the right partner, it is important that they work to enable your business and bring expertise from due diligence to integration.
Our dedicated focus means that cyber security doesn’t sit on the sidelines; it is integral to the transaction and supports continued operational success. With Iridium, you are not just conducting a business transaction, you are setting a foundation for future security and growth. Our proactive approach, and experienced leadership, ensure that cyber risks are managed, not as an afterthought, but as a pivotal component of the M&A strategy.
To find out more, download our brochure on “effective cyber partnerships in mergers and acquisitions.”
Share this post: