With some 45 percent of large acquisitions struggling to succeed, according to Accenture Strategy analysis, it’s time to think about cause and effect. One possible contributor may come in the form of a high-profile security breach.
Too often, the companies are vulnerable to cybersecurity attacks. That vulnerability can become a problem in terms of time, cost and brand integrity—and could be a ticking time bomb as part of a merger or acquisition.
The call to action here is simple: Spend as much time on cybersecurity due diligence as you do conducting due diligence in every other business area. Skipping this step or simply rushing through it too quickly could leave you with a group of very unhappy shareholders—who were, after all, assured things would go smoothly and that the due diligence had been thoroughly handled.
When targeting a company for acquisition, take the time to vet its cybersecurity capabilities, successes and failures. You’ll want to find out:
How successful has it been in repelling attacks?
What technologies is it using and are they up to date?
Has it ever been successfully hacked?
What internal and third-party relationships will you be taking on, and what are their security protocols?
How protected is the intellectual property, and has it already been leaked?
What are the data-sharing agreements in the target company’s extended ecosystem?
Is the company up-to-date on new and upcoming requirements such, as the General Data Protection Regulation, New York Department of Financial Services cybersecurity requirement or other emerging regulations?
Vetting the surrounding relationships isn’t always easy because they can number in the thousands. But it’s important.
Keep in mind that companies being targeted for acquisition may not know the extent and magnitude of successful cyberattacks, making it very challenging to disclose the full impact; others may be timid in full disclosure as it could make them less valuable or could even kill the deal. Even partial admissions can be dangerous. It is critical to investigate the full nature of identified breaches, their impact and the progress for fixing the problem. One great cyber due-diligence tactic is to perform a dark web search to looking customer data or intellectual property. This will provide a starting point to understand if there is an issue to address.
None of this is simple and it can be a bit more time-consuming, but the investment can pay a strong dividend. When Accenture and the Ponemon Institute studied the cost of cyber crime in 2017, we found that many companies may be spending too much on technologies that aren’t getting the job done when it comes to stopping cyber crime. We studied nine commonly deployed security technologies and found that five didn’t provide a positive result of actually stopping cyber crime. Given that these are commonly deployed security tools, this suggests that a company you’re evaluating may have the same challenges. In a perfect world, companies may be already on the path for improving their programs. In our cost of cyber crime study, we provided three main recommendations:
Create strong cybersecurity foundations: Invest in the basics, such as strong identity management and patching, while innovating to stay ahead of the hackers.
Undertake extreme pressure testing: Don’t rely on compliance alone; identify vulnerabilities to be able to outwit and outpace attackers.
Invest in breakthrough innovation: Balance spend on new technologies—such as analytics, automation and artificial intelligence—to scale value.
Determining how much a potential acquisition focuses on the above three key areas can serve as an excellent litmus test for the acquirer. Measuring the company’s commitment to resilience sooner, rather than later, can help you guide decisions, protect your new extended value chain and avoid extremely expensive surprises.