By Jessica Tasman-Jones
This article is brought to you by Agenda, an FT Specialist publication that focuses on corporate boards
M&A deals are increasingly scrutinised for cyber security risks, say experts.
Traditionally, due diligence has focused on financial, personnel, assets and other matters, says Mary Galligan, the US cyber crisis management leader for Deloitte & Touche.
For organisations other than technology companies, cyber security is typically categorised under “broader technology risks”.
This is changing, says Antony Walsh, the M&A partner at Eversheds Sutherland. “Stand-alone cyber security due diligence is increasingly undertaken, often as part of a wider overall IT diligence report,” he says.
“Such reporting is far more technical in nature and key stakeholders, such as the chief information security officer, chief technology officer and other IT heads [will be interviewed].”
Companies’ values can be affected by their cyber security standards. In some cases this can determine whether a deal will be taken to completion, says Cate Pye, a cyber security expert at PA Consulting.
CISOs should be directly involved in M&A due diligence processes, she says.
It is usually cheaper and more effective for the acquiring company to integrate cyber security from the outset, instead of attempting to bolt it on at a later date.
Problems inherited from a company that has been taken over can lead to sanctions by regulators. In 2020 Marriott Hotels was fined £18.4mn by the UK Information Commissioner's Office for a breach of the General Data Protection Regulation that went undetected when the group acquired Starwood Hotels in 2016.
Cyber security arrangements can be complex, with third parties and vendors involved, says Pye. A CISO should determine how the targeted company would fit within the merged organisation, she says.
Technical and insurance due diligence are becoming increasingly significant, says Walsh. “One of the most expensive areas of cover these days is cyber insurance, if the target business can even obtain such cover,” he says.
Legal due diligence should examine such policies and determine whether there have been cyber attacks, Walsh says. If there has been an attack, investigators should ask how it was dealt with and the sanctions imposed, he says.
Legal due diligence alone is limited: checking a cyber security policy is not enough to establish how robust a company’s systems may be, he says.
Board members of the acquiring company should ask the management of the target company probing, pertinent and direct questions about its cybersecurity, says Galligan.
Organisations have to look beyond traditional IT systems, says Fraser Nicol, a cyber security expert at PA Consulting. Manufacturing plants, vehicles and handheld devices should now be part of due diligence of cyber security because of the data they process, he says.
Operational technology tends to be less secure than information technology, and boards should be aware of that throughout a merger and acquisition process, says Galligan.
An acquiring company has limited options if the target is subject to an attack before the deal goes through. In a typical M&A deal, the onus would be on the buyer to prove that a current cyber attack is both material and adverse if they wish to terminate a deal, says Walsh.
This article is based on a story written for Agenda by Frederic Lee