Striking a deal: will your cybersecurity issues hold up the next merger?

Is your enterprise going through a merger and acquisition? Will your cybersecurity issues be the reason for holding up the deal–or even worse–for causing the deal to fall through?

More and more cybersecurity is a vital area to assess in a deal–one that could make or break a merger or acquisition for your company. 

According to a new study by West Monroe Partners and Mergermarket, Testing the Defenses: Cybersecurity due diligence in M&A, 77 percent of acquirers believe the importance of cybersecurity at M&A targets has increased significantly over the last two years.

One key finding of the report is that 70 percent of respondents said compliance problems are one of the most common types of cybersecurity issues uncovered during due diligence, while 40 percent said a lack of comprehensive security architecture is also common.

Despite its growing importance, 40 percent of respondents still discovered a cybersecurity issue after a deal went through. The lack of qualified cybersecurity talent seems to be a looming cause, as 32 percent of acquirers claimed not enough qualified people were involved in the cybersecurity diligence process in recent deals. 

Companies can and should beef up their cybersecurity talent before undergoing their next M&A, Matt Sondag, managing director of M&A, and Sean Curran, director of security and infrastructure, at West Monroe Partners, said that a lot of their work is IT due diligence. 

“West Monroe does around 250 deals a year in the acquisition space with a heavy focus on security. In trying to get a sense of where the market is, we have been asking How pervasive is security? Almost everyone is now considering security where they didn’t a few years ago,” said Sondag.

“In the last 18 to 24 months, we have really started to see the importance of cybersecurity resonate with our clients,” said Matt Sondag, Managing Director at West Monroe Partners. “When a data breach lands on the front page of CNN.com or The Wall Street Journal, companies start to pay closer attention to the issue.”

Since the risks are different for every organization the due diligence that must be done becomes part of the deal itself. “We can’t look at each organization the same way. We have to look at the risk to the business. Manufacturing is very different from an organization that stores and processes data,” said Curran.

In order to understand where the risks are, you first have to understand business. In the midst of a deal, the key thing for anyone is doing that risk assessment themselves. “If they have PCI compliance, they need to be able to say how they are assessing. Do they conduct self assessments or use a third party?” said Sondag. “The bigger thing we see, though, is a lack of education in terms of what they need to do.”

When they ask a company what they are doing to ensure they are PCI compliant, they look but are still not aware. These gaps in communication contribute to the friction and tension for security teams but also position enterprises as vulnerable targets for attack.

Absent of being able to bring this information to the table, they could delay the close for the deal. “What could be a two- to three-month close is extended for four to six months. The new buyer can demand the issues be remediated. That’s one scenario,” said Curran.

Another is that they have to put money in escrow. “For a lot of companies, it’s tough to prove 100 percent that a breach has not occurred. Because the penetration into a network is too intrusive, we are never given that access, but the average breach takes nine months to be uncovered,” said Sondag.

If it historically takes nine months to discover, the law firm is not going to be able to tell its client definitively whether there has been a breach, but they can and will give an indication of the things that need to be in place for security best practice.

Getting your ducks in order before the process begins will help to expedite the process and make for a smooth closing.