These studies cum front page news show a clear trend i.e., During M&As create exposure of breach due to various underlying reasons. While a specific percentage isn't available, the risk is significant.

Here are some reasons why it might be difficult to pinpoint a specific percentage:
  

• Attribution Challenges: Attributing a cyber-attack to a specific event like a merger can be challenging.

• Underreporting: Many cyber-attacks go unreported, making it difficult to get complete knowledge of the event trail. Sometimes, it could be unintentional, but the Acquirer holds the complete responsibility.

• Other: Various other factors like budget cuts, change in organization technology strategy, lack of leadership support to name a few.

Hence, focusing on the known risks and taking proactive measures is crucial for companies expecting to merge, acquire or spinoff which can introduce various cybersecurity risks, including:

• Regulatory Compliance: Failure to comply with regulations in different jurisdictions can lead to legal issues.

•  Cultural Differences: Different security cultures between organizations can pose challenges in aligning security practices.

• Integration Challenges: Merging networks and systems can create vulnerabilities if not done securely.

• Third-Party Risks: Increased reliance on third-party vendors can expose the organization to their security weaknesses.

•  Data Breaches: During the transition, sensitive data may be vulnerable to breaches.
    

Mergers and acquisitions (M&A) and spinoffs can create a host of cybersecurity vulnerabilities for organizations. Here's a breakdown of the main risks and how to manage them:

A. Increased Attack Surface:

1.       Heterogenous Systems: Merging two companies brings together different IT systems, security protocols, and potentially outdated software. This creates a wider attack surface for malicious actors to exploit vulnerabilities.

2.        Access Management Challenges: Integrating user accounts and access privileges across two organizations is complex. Temporary access granted during the transition can become permanent if not carefully managed, increasing the risk of insider threats.

B. Data Exposure and Loss

1.    Data Migration: Moving vast amounts of data between systems during M&A or spinoffs can lead to accidental exposure or loss if not done securely.

2.     Unidentified Sensitive Data: Sensitive data (e.g., customer information, intellectual property) might exist in undocumented locations within the acquired company, increasing the risk of a breach if not identified and secured.

C. Disrupted Security Operations
  

1.       Diverted Resources: Cybersecurity teams get stretched thin focusing on integration efforts, potentially neglecting core security tasks like threat monitoring and patching vulnerabilities.

2.      Loss of Institutional Knowledge: When employees from the acquired company leave, valuable knowledge about their systems and security posture might be lost, creating blind spots for the new organization.

Strong balance sheet, product portfolio, and future business growth after convergence may be contemplated. Though, it is evident, that out of both entities one might not be up to the mark in terms of cyber security posture resulting negative synergy.

Provided list may not pledge the complete coverage of reasons behind the cyber risk materialization during M&A. Albeit, it provides potential issues, which should be considered during the process. Focus of this post is not only to consider risks but to provide tool sets or opportunities to acquiring organizations to structurally assess the risk and provide guidance or potentially a way to arbitrage or benefit from synergies.

Cyber Risk Mitigating Strategy during M&A:

A.     Building Trust:

1.        Cultural integration: Mature leadership, is expected to demonstrate empathy and build trust and motivate people for value creation. Invest in people to improve cross functional or intra company knowledge transfer.

2.        Independent Assessor: Assess the cyber security posture of the entity, evaluate the blast radius in case of security incident, and expect a report from a third-party assessor to give you report on People (skills), Process (maturity level) and Technology (complexity). Detailed risk assessment report and providing such insights to the Board or the leadership brings confidence.

3.        Transparent Communication: Leadership can adopt a meaningful communication strategy. It could be via in person townhalls or though webinars or emails. Strong lines of communication are essential not only with cyber but with all departments in general.

B.        Phased Integration: Implement a phased approach to integrating systems, focusing on security first and access to the market later. (yes, I don’t want to sound cynical but it reaps great benefits in future)

1.     Security Due Diligence: Conduct a thorough security assessment of the target company during M&A to identify vulnerabilities and potential integration challenges

2.     Compliance Adherence: Ensure compliance with relevant regulations and standards throughout the process. National Institute of Standards and Technology (NIST) provides great framework and others can also be evaluated based on industry sector.

3.     Security Policies and Procedures: Establish consistent security policies and procedures across the merged entities.

4.     Data Mapping and Classification: Identify, classify, and secure sensitive data across both organizations before migration.

C.       Operational Readiness: Once first two steps are in place and going the way they were expected then win-win situation is created. To bring value both enterprise focus on operational integration:

1.     Technology Integration Planning: Develop a comprehensive plan for integrating IT systems, networks, and security controls.

2.     Efficiency vs Efficacy: Efficacy generally means reaching the desired goal, and efficiency means accomplishing something with minimum resources. Apparently, organizations do not have unlimited resources. But Security priorities must be identified and implemented.

3.     Continuous Monitoring: Implement robust monitoring systems to detect and respond to security threats promptly. Update the incident response plan to address potential scenarios arising from the merger or spinoff.

4.     Security Awareness Training: Train employees on new security protocols and data handling procedures.

In the context of cyber risk, arbitration may bring excellent benefits used to resolve disputes arising from cybersecurity agreements, risk identified during the assessment, contractual disputes related to cybersecurity services, or any other cybersecurity-related matters.

  The benefits of cyber risk arbitration include:

• Confidentiality: Arbitration proceedings can be kept confidential, which may be desirable when dealing with sensitive cybersecurity issues.

• Expertise: Arbitrators with expertise in cybersecurity can be selected to hear the dispute, ensuring that decisions are made by knowledgeable professionals.

•  Efficiency: Arbitration can often be faster and more cost-effective than traditional litigation, which can be important in resolving cybersecurity disputes promptly.

•   Flexibility: Parties have more flexibility in choosing the procedures and rules that will govern the arbitration process, allowing for a tailored approach to resolving the dispute.

Overall, cyber risk arbitration provides a mechanism for parties to resolve cybersecurity-related disputes in a fair, efficient, and confidential manner.

Sources

1.     2024 M&A Outlook : Ready for a Rebound by Morgan Stanley