The headlines resulting from the Target/Fazio Mechanical Services and T-Mobile/Experian breaches have raised the awareness around third-party risks. Unfortunately, awareness doesn’t equal a security control and organizations must make a deliberate effort to pull their heads out of the sand and get better visibility into the risks they face.
Mergers and acquisitions (M&A) risk is a critical subset of broader third-party risk. According to Deloitte, global (M&A) activity reached record-breaking deal values in 2015 at over $4 trillion, with the resulting deals expected to add $1.5 to $1.9 trillion in value to these companies. In 2016, high levels of M&A activity are expected to continue.
While M&A can certainly add value, it can also detract from value as well. In 2011 Hewlett-Packard acquired British software maker Autonomy for $11.1 billion in what could be considered one of the worst corporate deals ever. HP had to write down $8.8 billion as a result of “serious accounting improprieties” that due diligence failed to uncover.
The Autonomy example illustrates the potential financial risks of M&A, but what are the cyber risks of M&A activity? From the exploitation of financial markets, to the theft of intellectual property, the M&A process provides significant opportunities for threat actors. In one public example, US Security and Exchange commission launched an investigation into the criminal activities of a threat actor group identified as FIN4 who was suspected of targeting public companies that provide M&A series including investor relations, legal counsel and investment banking.
In order to gain visibility into M&A risks associated and what you can do about them, you must first understand the M&A process (See Figure 1).
Figure 1: The M&A Process
Due diligence is a discrete stage in the M&A process, but in order to better under stand the risks, diligence must occur during all the stages. Proper due diligence must include having a better understanding of both the acquirer and acquiree’s digital footprints.