By Pam Baker
More than half (53%) of companies responding to a new Forescout survey reported critical cybersecurity risks during M&A deals that “put the deal in jeopardy.”
Respondents also said that had they known the cybersecurity risks ahead of time, they would never have made the M&A deal. Indeed, 65% of respondents reported buyer’s remorse precisely because of the cybersecurity concerns they ended up inheriting with the purchase.
“M&A activity can be a game-changing moment in a company’s history, but recent breaches shine the spotlight on cybersecurity issues and make one thing abundantly clear: You don’t just acquire a company, but you also acquire its cybersecurity posture and a potential trojan horse,” said Julie Cullivan, chief technology and people officer at Forescout.
“Cybersecurity assessments need to play a greater role in M&A due diligence to avoid ‘buying a breach.’ It’s nearly impossible to assess every asset before signing a deal, but it’s important to perform cyber due diligence prior to the acquisition and continually throughout the integration process,” Cullivan added.
A PwC report confirms M&A deals are threatened by cybersecurity risks. That report found 63% of U.S. CEOs are extremely concerned about cyber risks, making this “the top threat to business growth.” Further, PwC found that cyber issues can easily raise M&A costs while also significantly reducing value.
“Many executives say data breaches, especially public ones, can lower a deal’s valuation. That was evident in Verizon’s acquisition of Yahoo, which closed in 2017. After Yahoo’s disclosure of two massive breaches in previous years, Verizon cut its offer by $350 million, or about 7% of the original price. In addition, the part of Yahoo that wasn’t sold to Verizon agreed to assume 50% liability from any future lawsuits related to the data breaches,” according to the PwC report.
Given the threat to M&A deals is common, this presents a strong business opportunity for MSSPs and other MSPs who sell security. An overwhelming majority – 81% – “of ITDMs and BDMs agree that they are putting more focus on an acquisition target’s cybersecurity posture than in the past, highlighting that cyber is a top priority for both IT and business decision makers,” according to the Forescout report.
But partners themselves should be aware that this particular risk also hits close to home. The most active sectors in the first quarter of the year, according to the Momentum Cyber’s cybersecurity market report, were: MSSP (5), application security (4), network and infrastructure security (4), and security consulting (4).
The consensus among these reports is that cybersecurity risk assessments should be a major part of M&A due diligence. According to the PwC report, “an acquirer must incorporate cyber issues into its assessment of a deal target. With this insight, the risks and cost can be factored into the deal model, negotiation and day-one planning.”
PwC recommends deal makers and their channel partners include assessing the following risk indicators: