Businesses of all kinds are vulnerable to cyber attacks. Lloyd’s estimated that businesses lose up to $400 billion per year due to data breaches. With the recent growth in mergers and acquisitions activity — 2015 was the biggest year for M&A ever, according to the Wall Street Journal — deal activity is drawing the attention of cybercriminals. Although there was always the risk of deal information leaking, now that documents are shared electronically, the possibility of unauthorized access to documents is greatly increased.
The damage from a successful cyber attack during an M&A can cost the parties involved in a deal millions of dollars, damage a firm’s public image and lead to litigation. Protecting sensitive data during an M&A is critical, but many firms don’t recognize the risks of data exposure and don’t implement sufficient data security measures.
Cyber Security Risks Before the Deal Closes
The due diligence process before the deal closes requires examination of multiple kinds of data, all of which could be valuable to cybercriminals. While most security breaches that get media attention involve the theft of consumers’ financial or medical data, M&As require sharing many other kinds of valuable company information, all of which could potentially be exposed through hacks/hacking.
Information about the existence of the potential deal is itself valuable to competitors or traders, for whom it enhances understanding of the buyer’s business strategy. The due diligence period requires review of many sensitive documents about the target business’s financials and intellectual property, which also are valuable to competitors and traders. M&A reviews also require sharing information about company employees and vendors, both of which can provide hackers with new targets of phishing, social engineering and other attacks.
Even the cybersecurity risk assessment that’s part of a comprehensive due diligence review can create cybersecurity risks. If the cybersecurity risk assessment is comprehensive, the documents under review include information about the business’s information security policies, network architecture and the security tools in use. Companies will disclose whether they were previously the target of an attack and how they responded. Evaluating whether the target company presents cybersecurity vulnerabilities requires exploring how the target protects the personally identifying information in its databases and what data loss prevention and intrusion detection measures it has deployed. This information is highly useful to a cybercriminal who wants to penetrate the target organization.
Cyber Security Risks After the Deal Closes
The need for enhanced attention to data security doesn’t end when the deal is finalized. The transition period can be tumultuous, with disgruntled employees who can reveal information about security implementations. As the two companies come together, the need to integrate data systems can require making system and network changes that create vulnerabilities.
It’s important to plan for protecting data as the merger is completed. Although the cybersecurity risk assessment should have been performed during the deal’s due diligence period, extensive security reviews should be performed early in the transition, with critical vulnerabilities remediated as soon as possible. Monitoring should be increased to provide an early alert of unauthorized activity.
Technology to Keep M&A Data Secure
Because deal information is mostly shared electronically, the teams working on the M&A project must use safe computing practices to protect data during the M&A. Backups of files must be stored securely. Even copy machines must be secured, as digital copiers may retain images of the documents they duplicate. There should be a clear policy regarding the use of mobile devices to access deal documents, including laptops, tablets and smartphones. Theft of devices is a major cause of data breaches.
Email should not be used to send sensitive information unless it is encrypted. Cloud storage provides an easy way to share documents but may not offer the controls needed to ensure information is protected. In many cases, sharing documents safely and easily is best done through a virtual data room (VDR). Virtual data rooms are compliant with security standards such as ISO 27001. Some VDRs meet the data protection standards of sensitive industries, such as HIPAA privacy requirements for healthcare information. Documents are encrypted, and access typically requires two-factor authentication rather than a single password. VDRs enable an administrator to finely control access to documents, restricting it to specific users and even specific IP addresses. The controls can limit the ability to print or download documents, and audit trails provide a record of all user activity.
VDRs also use antivirus software to protect against introducing malware into the organizations involved in the deal. Malware is often attached to Word documents, spreadsheets and PDF files, all of which are commonly shared and reviewed during the M&A process.
To protect data within the target company during the deal period, endpoint monitoring is crucial. Data loss prevention software should be used to detect suspicious movement of data outside the company network.
Risk Reduction is Key to Deal Success
Reducing the cybersecurity risks is crucial for M&A deals to succeed. In a survey of 152 M&A professionals, 85% believed the risk of cyber attacks had increased over the past year, and one in five had already had a cyber attack affect their bottom line, but only one 65% had increased cybersecurity measures over the past year and 43% had received cybersecurity training. For deals to reach completion, cybersecurity vulnerabilities need to be reviewed as part of the deal and all sensitive information protected.