Cybersecurity has never been more critical. This growing area of concern has been on the mergers and acquisitions (M&A) radar for some time, and we’ve previously blogged on its effect on the due diligence process, regulatory requirements, and overall acquisition risk assessments. With only 4% of organizations reportedly agreeing that their current cybersecurity strategies had been fully considered, with all risks incorporated and relevant threats and vulnerabilities monitored, it’s crucial to push forward in developing a comprehensive and current cybersecurity strategy to manage risks at all stages of an M&A transaction.

In a recent report, EY identified M&A as a “cyber threat flash point” and suggested the following key questions for companies at all stages of an M&A transaction.

  • Is data regarding the transaction secure? Several vulnerabilities can drastically increase risk that data is not secure, from employees who are careless or unaware, to outdated security controls, to simple unauthorized access. This risk is particularly acute during the due diligence phase of an M&A transaction as information must be legitimately shared among several parties.
  • How does the merger or acquisition affect the existing cybersecurity strategy? As noted above, few organizations have confidence that their existing cybersecurity strategy covers existing risks. Nonetheless, the evolution of the organization through a merger or acquisition should also result in the evolution of its cybersecurity strategy. New threats related to particular industry or other characteristics of the target should be carefully considered and integrated into the post-transaction organization’s cybersecurity strategy.
  • Does the merger or acquisition create new vulnerabilities or targets for cyber threats? Over the last five years, while cyber-attacks targeting financial information and intellectual property have declined slightly, malware and phishing attacks are on the rise. However, organizations should be particularly attentive to risks to any new intellectual property acquired through an M&A transaction, and what threats may be posed in relation to the newly acquired intellectual property.
  • Is the due diligence into cybersecurity sufficient to evaluate risk? We previously blogged on the importance of due diligence and cybersecurity. While cybersecurity in conducting the due diligence itself is critical, so too is analyzing a target’s cybersecurity risk profile. Cybersecurity issues should be considered early and often, as major vulnerabilities discovered in due diligence will almost certainly affect the success or failure of an M&A transaction.
  • How will new employees fit in? There is increasing recognition that building an effective cybersecurity strategy requires incorporation of a talent-centric model, in turn building a conscientious risk and security culture through training and awareness. When absorbing new employees through an M&A transactions, organizations should consider how best to inculcate newcomers into its cybersecurity culture and strategy for a seamless transition into a single organization.
  • What governmental regulation or oversight will the merger or acquisition attract in relation to cybersecurity? As we’ve previously reported, cybersecurity in particular can attract government regulation and oversight. Organizations should carefully consider the level of government attention that a potential M&A transaction will attract, and work to manage any associated regulatory burdens.

For more information, please see our additional posts on cybersecurity risks and regulation.

The author would like to thank Kassandra Shortt, Articling Student, for her assistance in preparing this legal update.

Stay informed on M&A developments and subscribe to our blog today.