Mitigating cyber risk in mergers and acquisitions (M&A) has become a growing concern for engaged decision makers. The immediacy of the issue is only reinforced by the cases of data breaches that have recently plagued the sector, such as the 2016 case of hackers obtaining sensitive M&A data from US law firms. Executives typically face a series of risk tradeoffs as they move through the M&A process, having to choose between speed and security or business and technical considerations. To meet these challenges, companies and their leadership should requisition the often-neglected compromise assessment and establish a comprehensive interim plan that addresses both business and cyber security needs.

M&A process opens window of opportunity for cyber threat actors

As a starting point, we must recognise that the process of M&A creates an environment that invites cyber risk. This environment is characterised by internal uncertainty and turbulence as operations and procedures are significantly, though temporarily, altered. In this state, vulnerabilities become exposed, inevitably tempting attackers. As such, this period represents an attractive window of opportunity for a hacker. In this context, executives struggle to close this window as quickly as possible and plug any gaps. This security-motivated push for haste dovetails with the business incentive to get the company operable and profitable without delay.

However, in counterbalance to these incentives, executives must also recognise the concern that the integration process cannot go too quickly, lest something crucial be overlooked and the company be left permanently vulnerable to cyber threats. Thus, there is a strong security-based argument for slowing the process for the sake of being thorough in assessing and responding to cyber risk and designing a long-term cyber security apparatus. This presents a conundrum of speed versus thorough security in M&A.

Oct-Dec 2017 Issue

Control Risks