While most activities were cast into a lockdown mode in the past year due to pandemic-driven uncertainties, Mergers & Acquisitions rode a series of waves of activity. Matching the cautiousness of the corporate world in general, the first half of 2020 saw a sharp reduction in deal activity. However, as the focus of corporate leadership shifted to anticipation of a “new normal”, M&A cadence dramatically accelerated. Globally, companies announced a record $1.4 trillion worth of deals in the post-lockdown months from June to October 2020, 84 per cent higher than in the first five months of the year, leading to a total value of $2.2 trillion worth of deals in the first 10 months of the year.1
As we enter 2021, the strategic focus upon reimagining business, reskilling for new requirements, and retooling for scale has added further momentum to the M&A environment: over $40 billion worth of deals were announced in the week the first news about the high efficacy of coronavirus vaccines was reported.2 One can only surmise that growing confidence in business vitality in the wake of expanded vaccination will create stimulus for deals aimed at positioning businesses for a post-pandemic recovery. In this deal-centric environment, several considerations related to cybersecurity should be top of mind: on one hand, M&A transactions are a key target for cyberattack, and should be safeguarded accordingly. On the other, cyber risk and cyber resilience should be a core element of valuation and post-merger viability assessments. Not surprisingly, cybersecurity audits have become standard practice in diligence processes3. This nexus highlights the fact that cybersecurity is a top-tier component of business value in an environment where a cyberattack can change the trajectory of a business overnight, setting off a cascade of implications. Among those effects are derailing a proposed deal, or reducing the value of the target company’s assets by damaging its brand reputation and derailing its growth prospects.
Who’s Eyeing the Deal?: Diligence as a High-Value Target
Highly sophisticated threat actors target M&A activities because they offer the potential for short-term and sustainable reward. When merged entities’ operations are in transition, high-value data is often vulnerable. When publicly-held companies are involved, the resulting media coverage of a pending deal can exacerbate the risk that threat actors will seize the opportunity to attack.
Protecting Iterative and Sensitive Strategies
Restricting access to pending M&A deal strategies is understandable during the pre-acquisition phase; however, inclusion of risk and security expertise must be factored into these policies. After all, a typical M&A deal process produces a potential “two for one” proposition for cyber attackers, making M&A environments a high-value target. In parallel, the parties to the deal must conduct ongoing daily operations, which creates the need for a multi-layered approach to data protection.
Cyber Resilience: M&A Insurance
Recent surveys indicate that more than half of acquiring organizations wait until due diligence is completed to perform cybersecurity assessments, leaving them open to potential long-term exposure. Identifying data governance gaps, compliance with data protection standards, internal vulnerabilities, and security maturation is essential to reducing exposure during the deal process and beyond.
- Deloitte: M&A Emerges from Quarantine, December 2020
- The Financial Times: Global M&A Recovers on Vaccine Hopes, November 2020.
- ISC2 Research: The ROI of Sound Cybersecurity Programs, M&A Survey Report, 2019