When strategizing with clients on mergers and acquisitions (M&A), there are many topics and angles to cover. However, we see one topic increasingly come to the fore before a deal: cyber diligence. Data and cybersecurity concerns are the biggest cause of deal withdrawals.
Seeking a no-regrets approach
Companies considering M&A need to account for the increased risk exposure that comes with targets they acquire. In a recent Forescout study, 62% of IT and business decision makers regret going through with a deal despite cybersecurity concerns. The major reasons for that regret are lost time or money.
As attacks become more prevalent and sophisticated, companies must evolve their cyber diligence approach. They need to keep pace with threats that are constantly changing.
<<< Start >>>
Accenture’s cybersecurity due diligence reviews reveal that 35% of diligence efforts uncover a minimum of US$8 million in remediation costs.
<<< End >>>
The traditional approach is outmoded
Our client experience shows that approximately 60% of companies use a legacy approach to cybersecurity due diligence. This usually means plenty of cumbersome spreadsheets and unwieldy lists—mainly because companies are hesitant to share information before a deal closes. Diligence teams generally default to a simplistic checklist to assess cyber risk, consisting of a series of targeted questions with binary responses. It is very difficult to get a complete picture of the target company’s cybersecurity program using these methods. This is doubly true of large transactions with a global footprint, complex alliance partnerships and vendor ecosystem.
Adding to the lack of visibility, records of security incidents such as attempted ransomware attacks are often non-public information and challenging to obtain. Laws requiring the disclosure of these incidents vary by jurisdiction, which complicates matters.
<<< Start >>>
<<< End >>>
A modern, multi-pronged approach
While conducting cyber diligence, we recommend combining human conversations with the best new technologies. Conversational discovery and non-invasive technical diagnostics bring two main benefits:
1. Deeper understanding of risks and mitigation strategies
Using a security framework to drive discovery works well. Why? Because it provides a deeper window into the practices surrounding a company’s revenue-generating processes. For example, a traditional approach might include asking, “Can you explain your data security program?” But, a security framework prompts the interviewer to ask questions such as, “How is customer data protected and where does it logically reside?” More targeted questions should elicit more targeted answers.
Situations will vary. For instance, a financial services company may have deep security policies within compliance and cyber defense, whereas a SaaS organization enlists a complex software/API controlled approach. Let the target company’s business model inform the scope of review.
Technology can support discovery teams as they validate cyber hygiene. For example, it can help search for indicators of compromised security or check technical configurations.
We suggest taking minimally invasive actions such as passively inspecting heavily trafficked egress points. This can lead to the discovery of known, bad destination IP addresses and malicious payloads. Running scans on the target company’s externally facing landscape reveals unintentionally exposed assets. That could mean something as simple as misconfigured security settings that enable internet access—or something far more complex.
Use these collective data points to show a more complete picture of the target’s cyber posture and the maturity of its security. Pairing thoughtful interviews with non-invasive technical assessments better informs your company on whether the potential target is a cybersecurity liability. This approach also can help you determine the right mitigation strategy.
2. Value creation
It is not just about protecting the downside, though. There are two upsides to a modern, multi-pronged approach to diligence. The first centers on financials. The acquiring company can outline cybersecurity investments to remediate gaps and identify synergies.
The second outcome is a set of strategies to speed integration. With this holistic approach, the cyber diligence team can begin to outline the identity and access management strategy for the combined company. In a recent transaction, we supported our client in formulating this approach and outlining the expected investment to create new user identities for the target company’s employees, thereby accelerating post-announcement planning, post-close execution and synergy realization. By doing so, they begin a step ahead―facilitating cross-company application access as early as Day One.
Handle cybersecurity from a position of strength
Cyber threats continue to become more sophisticated every day. So should cybersecurity strategies. Especially in something as critical to business success as a merger or acquisition.
If cybersecurity has not been a top priority in your company’s M&A activity, we suggest moving it up the list while still in strategic mode, versus having to do so to play defense due to a breach. Cybersecurity from a position of strength is always the best option.
Co-authored with Billy Gulley, Senior Manager, Accenture Security, and Jeffrey Wu, Senior Manager, Accenture Strategy.
See more Enterprise Strategy insights.