This blog was written by an independent guest blogger.
Requires strong due diligence
Nowadays you need a scorecard to keep track of the monthly acquisitions and mergers in the cybersecurity industry. Mergers and acquisition (M&A) of products, capabilities, and companies has become a common strategy for business and market growth. Even through the Covid19 pandemic, trends in acquisition and consolidation of information security oriented companies remained quite strong. In fact, the volume of U.S. cybersecurity M&A deals hit 151 in the first three quarters of 2021, compared to 80, 88 and 94 in 2018, 2019 and 2020, respectively, according to data from 451 Research. Please see graphic from S&P Global Market Intelligence.
According to CSO, 2021 shaped up to be an active year for mergers and acquisitions in the cybersecurity industry. March alone saw more than 40 firms being acquired. The level of activity is driven by growth in sectors such as identity management, zero trust, managed security services, DevSecOps and cloud security. Top cybersecurity M&A deals for 2021 | CSO Online
In December 2021 alone, Security Week’s cybersecurity M&A roundup for December 2021 listed 35 deals amounting to $ billions of dollars in transactions. Cybersecurity M&A Roundup: 35 Deals Announced in December 2021 | SecurityWeek.Com
In 2022 M& A in cybersecurity will likely expand to ever greater heights. Because of the trend digital transformation, almost every company in every vertical has an information technology or operational technology component vital to successful operations. A breach could be devastation to a company bottom line and reputation, so cybersecurity capabilities have become more of a priority for the C-Suite as the stakes have risen.
No matter what industry you may be in, there certainly are high stakes involved with M & A. Companies are taking great risks in terms of their economic future when acquiring assets of a target company. A great amount of due diligence is invested in the M&A process to discover potentially harmful legal claims, tax issues, environmental issues, and confirming that the target company assets are provable, real, and unencumbered.
According to the consulting firm Deloitte, it is estimated that in 2022, about 60 percent of the organizations will consider cybersecurity posture in their due diligence process as a critical factor during any M&A2. Technology disruption Technology disruption assists companies to evolve into new business models and upgrade their traditional modes of operating business. PowerPoint Presentation (deloitte.com)
It is all about risks. “A damaged asset is worth less,” according to Sean Wessman, a Principal at EY’s Americas Risk and Cybersecurity Practice. “Cybersecurity issues potentially affect M&A in a number of ways. Given how costly data breaches can be in both tangible and intangible terms, acquirers want to get as much certainty as possible about the risks they are buying in a deal. “The Role of Cybersecurity in M&A - Journal of Cyber Policy
There is an array of activities involved in basic cybersecurity due M & A diligence. This include having a solid inventory of both hardware and software assets of the company being targeted for acquisition or merger. Knowledge of where all sensitive data is kept, who has (or had) administrative access, and which 3rd parties participate in the supply chain is important to investigate. Of course, there are also the legal requirements of confirming validity of patents.
Physical security due diligence is a necessary step to how data centers are configured and protected and especially what hardware devices are connected to the networks. An unauthorized, or negligently networked device provides an easy means for economic espionage and avenue for hackers to exfiltrate data.
In our budding digital transformation era, the same focus must be applied to due diligence of software applications that serve as the core operation center of a company. An undiscovered vulnerability can seriously undermine the value and optimization of an acquisition.
With software applications due diligence requires knowing what you have and what you do not have. Are the applications configured correctly, is there any hidden malware, are there risky legacy programs attached to the applications? And are there any potential Zero Day risks?
There is only one sure fire way to mitigate software application risk, at that is through comprehensive penetration testing. Testing identifies vulnerabilities and allows for understanding the cyber- risks they are obtaining in a deal. Before the mergers & acquisition formally proceeds, all acquired application software should be tested to detect all variations of malware, known and unknown. Sometimes, the potentially acquired company does not even know fully what devices or applications they have operating in their own networks.
Testing can proactively discover vulnerabilities in legacy applications, distribution of IT assets, and many other use cases, including how the data and intellectual properties acquired are protected.
In conjunction with application testing, the cybersecurity M & A Process should also explore the proper business alignment and maintenance of all acquired applications and be part of a larger framework. For example, the Kroll Cyber Due Diligence for M & A infographic provides a working overview. It should be noted, cyber due diligence, including testing of applications, is also important for post transaction operations.
The new realities of sophisticated and growing cyber threats in a digital world ensures that M & A will continue to be a preferred strategy by companies for improving market capabilities and positioning for the near term. The trend in both government and the private sector of Zero Trust combined with regulatory initiatives will amplify the need for stronger products and services to meet challenges ahead. Including keeping our cybersecurity M & A scorecards up to date.