Mergers and acquisitions (M&As) can be a good way to acquire new capabilities and respond to emerging challenges quickly. However, combining two companies can be complicated and can lead to additional cyber risks.
For example, Verizon discovered that Yahoo experienced a data breach during the diligence process for the 2017 acquisition. This led to Yahoo losing US$350 million in purchase price and having to pay US$35 million to the SEC (Securities and Exchange Commission), and an additional US$80 million to shareholders following lawsuits surrounding its failure to properly secure data.
“Several factors lead to the prevalence of cyber beaches such as this, but chief among them are the complexities that are created when two (or more) organisations are combining their IT and security infrastructures. Let’s face it, integration is hard without visibility adding to an already complex environment created by an explosion of devices, a proliferation of point solutions, and silos within organisations. M&A activities often increase the number of devices and scope of the network and with that, the attack surface, and the bad actors are looking to exploit that,” says Dan Streetman, global CEO of Tanium, a converged endpoint management platform provider. He shares with DigitalEdge tips to best manage the cyber risks in an M&A transaction.
What are the main challenges of assessing cyber risk in the M&A diligence process?
Assessing cyber risk is challenging if you do not have the right data to evaluate, so the acquiring company and the target company must be transparent with each other during the due diligence process. If the target company is reluctant to be transparent with its data, the acquiring company can try to establish a clearly defined data-sharing agreement that protects the target company from any misuse of its data. With the growing importance of cybersecurity, being rigid and opaque about your IT environment can be enough to completely derail a deal.
Another challenge is access to near real-time data to assess cyber risk. Typically, by the time you round up all the data to do a valuation or risk analysis, it is stale and often incomplete. To address this concern, organisations need the ability to refresh frequently and work consistently with a near-real-time data set. This will ultimately improve the quality of analysis, improve deal accuracy, and reduce overhead and the overall cost of the deal. This reduced cycle time will also help right-size the high cost and curb the time required for the consulting phases of a deal.
See also: Keys to achieving human-centred automation testing
The complexity of the target company’s network — including multiple security systems and cybersecurity policies — can also present hurdles when it comes to assessing cyber risk. This is why it is vital for technology leaders to invest in technologies that unite their teams, creating a common language to break down silos. They need to implement technologies that reduce complexity and risk, not contribute to increasing noise and costs. By adopting a platform approach, organisations can increase their capabilities over time without deploying countless disparate point solutions that are difficult to manage, increase technical debt over time, and ultimately make them less secure.
In Asia specifically, many companies tend to approach M&A due diligence as a check-the-box exercise, often without enough boxes to begin with. They tend to be less focused on capturing synergies and enhancing integration.
In a recent McKinsey study, the majority of Asian firms surveyed reported they do not have an M&A department or have one with fewer than five employees, and more than one-fifth reported they have no dedicated budget for M&A. Compounded by lack of management buy-in, unclear processes and other challenges, these shortcomings exacerbate an already challenging M&A process.
See also: Human element still important for effective mass communication
How should organisations best manage cyber risk before, during and after M&As?
By achieving improved visibility and control over all assets, firms can shorten the cycle time for executing planning and integration, mitigating tech debt and risk, reducing overhead cost, and accelerating time-to-value of the deal. The ability to measure and scorecard risk will empower organisations to create more leverage and potentially reduce overall deal acquisition and future run costs.
At the end of the day, managing cyber risk starts and ends with good cyber hygiene — knowing which devices are on your network and what is running on them. There is security found in simplicity and visibility. The more organisations can do to get an idea of what endpoints and cyber assets they are absorbing heading into an M&A and then consolidate disparate security solutions to unite teams and tools, the safer they will be.
How does Tanium help organisations reduce M&A-related cyber risks?
Tanium allows acquirers to confidently establish a baseline of information, receive real-time updates to the data throughout the due diligence phase, and then continue to use the same platform through each phase of the deal right on through acquisition and systems/business integration. Through Tanium platform integrations, organisations can offboard the data history wherever and whenever they need to.
The amount of time and effort to collect and consolidate data for a valuation or risk analysis is often prohibitive, and people will tend to settle for what they can get in short order with as little effort as possible. This is especially true in the early phases, where confidentiality is a concern and there is a reluctance to involve a lot of people. We can help solve this problem by creating a single, authoritative view, without needing an army of people allowing for much “lower calorie” due diligence.
Through our Converged Endpoint Management (XEM) platform, Tanium harnesses cloud and artificial intelligence (AI) to safeguard organisations. Real-time data is at the heart of all this; our ability to query and analyse data on every endpoint in real-time, and act at speed and scale, is a foundational differentiator.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
During M&A activities specifically, we can help accelerate the due diligence process and reduce risk by rapidly deploying endpoints to provide better visibility and more effectively mitigate risks and remediate incidents before damage occurs. It’s all about time to value and revenue on the M&A investment, and Tanium is key to driving acceleration in this space.
AI has been in the spotlight this year. How can it help in this case?
While AI has shown its power over the last several years, the focus on generative AI over the past year has yielded new, practical use cases in making it easier and more intuitive for security teams to secure their environments.
This is especially true for M&A situations. For example, Tanium’s AI-driven autonomous capabilities will bring a massive improvement in efficiency for IT operations and security teams. This is via automated insights and actions that will help break down silos and boost efficiency as companies combine their IT and security functions.
Whether you are the acquiring company or the target company, the real-time data, speed and scale provided by Tanium’s XEM platform allows organisations to remain in control of their IT environments. Our technology will proactively identify an issue on a user's machine before it happens — whether it’s an out-of-date application that will get blocked due to policy, or a machine about to run out of storage and create a productivity-impacting issue for the user. Tanium’s XEM platform will identify and self-remediate the issue autonomously — all without the user or the IT operator having to take any action.
