True story: It’s Monday morning, and today, Company X is going to announce a large acquisition, but as employees arrive to work, they find the company’s systems are locked. Even worse, their data has been ransomed, and the unknown attacker is threatening to expose proprietary secrets and specifics of the acquisition and destroy data unless the company pays a seven-figure ransom.
It’s a nightmare scenario, and it is happening more and more often to companies engaged in a merger or acquisition (M&A).
Cyber-attacks based on M&A activity aren’t coincidental; they happen because cybercriminals are skilled at finding companies involved in M&A and carefully time their attack, because they know that in the haste to get the deal done, the company is probably willing to do just about anything to make the problem go away.
With merger and acquisition activity projected to increase for the remainder of 2020 and into 2021, and data protection and related privacy regulations among the issues impacting M&A strategy and activity (Deloitte 2020), is there anything you can do to prevent a cyber-attack before, during, or after a merger or acquisition?
During the investigatory or planning stages of a merger or acquisition, before the plans are set in motion, your organization should perform a complete security program and vulnerability assessment. This should be done by your in-house security team, or if you don’t have the internal resources, an outside cybersecurity consultant should be brought in.
Your security assessment will identify gaps in your Cybersecurity Incident Response Plan, determine if your network is secure from intrusion, and most importantly, verify that a cybercriminal hasn’t already infiltrated your network, because if they have, they will almost certainly exploit your M&A for their own gain.
It is also important to understand that normal M&A activity can tip off cybercriminals. A few actions that can call attention to a merger and acquisition:
- Posting jobs that require previous M&A experience
- Securing funding from investors to boost financial strength
- Reports from industry analysts that predict future M&A activity
Sophisticated cybercriminals will watch for these types of behaviors to identify targets so your organization needs to be vigilant to protect itself. This is also a good time to train company executives to not fall for spear phishing or malware attacks and to refrain from using unsecured networks or personal email to discuss details of the proposed transaction. Once a cybercriminal gains access to your network, they can expose the potential deal earlier than you intended, or derail it all together with a ransomware attack.
Cybersecurity awareness applies to both buying and selling companies, and both need to do their best to ensure their network environments are free of uninvited hackers, waiting for the right time to attack.
In-Process M&A Cybersecurity
Accomplished cybercriminals watch for telltale M&A behavior while it is in process.
Changes in marketing behavior is a sign that a company may be exploring an acquisition or is positioning itself to be acquired. Sudden decreases in advertising and PR and slower product introductions and rollouts can alert a trained eye to an impending deal. Staff reductions to inflate profitability is another tell, and cybercriminals may phish former employees to confirm their theories and acquire valuable data and / or network access.
During a M&A due diligence period, the buying and selling companies exchange a great deal of information, which provides cybercriminals many opportunities to intercept and steal data. Employees of both companies may also be hit with spear phishing attempts that allow a bad actor access to network assets.
While negotiations are happening, company executives are especially susceptible to an attack. Organizations with poorly secured endpoints, like laptops and smartphones, or an executive using unsecured public Wi-Fi or their own device to review documents while they travel, are exposing high-value data to potential thieves.
Post M&A Cybersecurity
The largest risk after a M&A has been announced are employees that fear their jobs will be eliminated or drastically changed. They may steal sensitive company data, or inadvertently leak it, and are vulnerable to phishing and social engineering attempts by a cybercriminal to gain access, or deeper access, to the network environment.
Once the two companies are one, the risk is twice as great because a larger company, still integrating technologies, give cybercriminals a larger opening through which to enter. Board members and Leadership of both companies should give secure technology integrations a high priority, both during the process and after the deal is closed.
Putting it All Together
Cyber-attacks can have disastrous effects on a merger or acquisition. In 2016, Abbott acquired a medical device manufacturer and had to recall 500,000 pacemakers because of a hacking risk. Also in 2016, Marriott International acquired Starwood for $13.6 billion, only to learn about a cyber-attack that exposed sensitive personal data of nearly 500 million customers; a liability that could cost the company up to $1 billion in legal expenses and regulatory fines.
Cybersecurity vigilance is needed throughout the entire M&A process. Cybercriminals can take advantage of individuals’ behaviors, unintentional clues, and network vulnerabilities to create cyber risk. Organizations that are especially cautious and cyber mature through every step of the process, will undoubtably mitigate the risks associated with cybercrime during a M&A.
Mergers and acquisitions are difficult enough to navigate, but when a cyber-attack happens to either company, the results can be disastrous. If you are exploring a M&A and would like to have a confidential conversation with one of our cybersecurity experts to improve your cybersecurity readiness, simply complete the form below - we’re here to help!
MCPc is a global data protection company that helps organizations dramatically minimize their risk of disruption from unforeseen events like cyber-attacks and data breaches. Our goal is to help every client achieve the highest degree of security and the least amount of risk their organization can afford, or what we call, SecurityCertainty.