Cybersecurity Perils of M&A

In this continuing series on cybersecurity with Arnaud Wiehe, author of The Book on Cybersecurity and Emerging Tech, Emerging Threats, we explore the underappreciated cybersecurity risks that can arise any time firms engage in M&A activities.

It’s a familiar story for any homebuyer. After intense scouting you find your ideal house. It’s the right size. In the area you want to be. The place could maybe use some updating, but the price is attractive. And other prospective buyers are circling, so you need to move ahead, fast.

Pulling the trigger without proper due diligence first though risks courting disaster. A technical inspection may uncover subsidence issues, dry rot, a termite infestation, faulty pipes. That dream property could quickly turn into a money pit.

Overlooking cybersecurity in any mergers and acquisitions targets holds similar dangers, noted Arnaud Wiehe, author of The Book on Cybersecurity and Emerging Tech, Emerging Threats.

Just ask Verizon. Its 2016 deal to buy Yahoo was delayed by months as it assessed the fallout from two huge, previously undisclosed Yahoo data breaches. Verizon eventually paid $4.5 billion for the company, $350 million less than its original offer. And under the amended deal terms, Yahoo remained responsible for liabilities from shareholder lawsuits and SEC investigations stemming from the breaches.

Why prioritize cybersecurity during M&A transactions

Most financial institutions will be involved in M&A activity at some point – perhaps multiple times. The usual rationale is some variation on the growth and synergy theme: whether it’s an opportunity to move into new asset classes, new geographies, to gain new skills or a bigger customer base. Cybersecurity costs and their potential implications often get ignored amid the scramble for growth.

“But they need to be factored into the calculation of whether the acquisition makes sense or not,” Wiehe advised.

Failure to understand the costs and risks of any defense weaknesses can damage not only your company’s finances but its reputation. An organization with weak cybersecurity practices is more vulnerable, potentially devaluing its worth, observed Wiehe – as seen with the Verizon/Yahoo tie-up. Overlooking cybersecurity could also expose firms to legal liabilities, especially if data breaches occur post-acquisition, he added.

Merging cybersecurity

Merging firms usually have different cybersecurity hygiene levels. Cybercriminals will target the weaker partner as an easier access point, so post-acquisition the cybersecurity frameworks need to be equalized at the highest level as fast as possible.

“During that transition you’re actually quite vulnerable,” warned Wiehe. “There are two worlds colliding, with different infrastructures, different capabilities, perhaps different approaches, and they don’t always understand each other that well.” Sharing data during the M&A process is a prime risk point, he added. “Doing so without the right precautions could expose valuable intellectual property or sensitive data.”

The clean up, to get the merged entity to the desired security standard, can take considerable work. Take a common example, of one company with Microsoft endpoints and another with Mac ones, said Wiehe. “When you bring the two environments together, you now have to manage Mac and Microsoft operating systems. You end up with two types of tooling for endpoint protection, maybe two different antivirus systems. That ‘technical debt’ is messy. It’s also expensive to get to one unified set of systems, processes and people supporting your environment.”

And this complexity arises from just one acquisition. Making multiple acquisitions results in a panoply of tools, and more people to support them, unless the organization can get to a unified infrastructure, cautioned Wiehe.

Ensure proper protections

Which makes it so important for firms to conduct a thorough cybersecurity assessment of their proposed partners before diving into any M&A commitment.

Areas Wiehe highlighted include:

Technical compatibility: Understanding the make-up of your acquisition target’s technology stack is crucial. Risks stem not just from what they have but how it will mesh with your existing infrastructure. How difficult and expensive will it be to bring the environments together and protect them?
Network & cloud considerations: How does the target structure and host its infrastructure? Is its technology mainly on-premise or cloud-delivered? Examine everything from its legacy devices to cloud security to ensure you aren’t inheriting a technical nightmare.
Identity management: Evaluate access protocols, password policies and overall identity management to guard against security lapses. One company may use five-character numeric log-ins; the other a 10-character alphanumeric. Do you bring these together?
Compliance: Familiarize yourself with the applicable laws, regulations and compliance history of the target organization. Firms that operate in different countries and/or sectors will have distinct compliance obligations.

Sometimes an M&A tie-up can be a gift, said Wiehe, where you acquire a company with a better cybersecurity framework that allows you to quickly springboard your own capabilities. Where it’s the opposite, any cybersecurity deficiencies can be a major hazard.

About Arnaud Wiehe

Arnaud Wiehe is an author, speaker, consultant, and thought leader in cybersecurity. He has worked in leadership and cybersecurity roles for major global companies, including as a CISO for multiple years. He holds several prestigious cybersecurity certifications, including:

•Certified Information Systems Security Professional (CISSP)

•Certified Cloud Security Professional (CCSP)

•Certified Information Security Manager (CISM)

•Certified Information Systems Auditor (CISA)

•Certified Fraud Examiner (CFE)

Throughout his career, Arnaud has demonstrated a strong focus on cybersecurity best practices and keeping current with emerging trends, technologies, and innovation. He is a graduate of the Singularity University and a member of the Association of Professional Futurists. He is widely respected by his peers as an expert in cybersecurity and IT governance.

Arnaud is also an enthusiastic amateur musician and luthier. He plays the violin, viola, cello, and mandolin. He has made two violins, a viola, and numerous bows.

SIMILAR RESOURCES

Blog

5 Key Tests for Picking the Right Fund Administration System

Technology has become central to fund administrators’ service propositions and a key source of competitive advantage. As investment managers hive off non-core functions in an effort to boost their own competitiveness, partnering with outsourcing providers that can deliver the requisite speed, quality and reliability of service only gets more important. Stringent due diligence examinations to […]

Blog

AI Takes Cyberattacks, and Security, to the Next Level

Artificial intelligence is the Janus of cybersecurity: a dual-faced bringer of war and peace, of beginnings and endings, the opening and shutting of doors, with the power to both help and harm. PwC’s latest CEO survey captured the dilemma. While it found chief executives are increasingly looking to the transformative benefits of generative AI, almost […]

Blog

Cybersecurity Best Practices: How to be More Proactive in the Fight Against Cyberattack

In cybersecurity, as with medicine, prevention is better than cure. The news headlines are filled with tales of email hacks, phishing scams and ransomware attacks that leave firms scrambling for patches or ways to contain the damage. The fast-moving threat landscape often leaves financial organizations playing catch-up, in a whack-a-mole contest with sophisticated and well-resourced […]

Blog

What Does the EU Artificial Intelligence (AI) Act Mean for Financial Services?

The European Parliament last week approved the world’s first binding law to regulate the use of artificial intelligence (AI), in a move with wide implications for the financial services industry. AI technologies are powering a fast-expanding range of financial market functions, spanning everything from anti-money laundering and cybersecurity activities to customer interactions, tailoring wealth and […]

Blog

Cybersecurity Best Practices from the Man Who Wrote the Book

If cybercriminals can hack the corporate email accounts of Microsoft’s senior leadership team, what could they do to your cybersecurity defences? Cybersecurity was once again the top concern for European banking Chief Risk Officers surveyed by EY and the Institute of International Finance, with 82% ranking cybersecurity risk as the biggest threat to their business […]

Blog

ESG: The Next Growth Area in Fund Administration

The US Securities and Exchange Commission’s decision to pare back its long-awaited climate-risk disclosure rules suggest the blowback against the environmental, social and governance (ESG) movement is gathering strength. The reality is ESG reporting demands are only growing. For many investment managers, the obvious answer is to turn to their fund administrator for help … […]

Blog

Do We Need AI, and Does AI Need Us?

In conversation with The Dark Money Files’ Graham Barrow Are we interceding with artificial intelligence too often and too quickly? asks The Dark Money Files director and anti-money laundering expert Graham Barrow. A week after chip giant Nvidia reported blowout earnings on frenzied customer AI hardware spending and forecast excellent conditions for continued growth, questions […]

Blog

AI in Investment Management: 3 Areas Ripe for Change

How much of a role will artificial intelligence realistically play in the investment management industry? As we discussed in a previous blog, implementing more traditional automation initiatives, to get the foundations right before adding AI complexity and data demands on top, should be firms’ initial priority. But then what? While the potential is seemingly limitless, […]

Blog

Forget AI, Prioritise The Low-Hanging Automation Fruit

If ever there was a case of shiny object syndrome today, then artificial intelligence is it. The release of ChatGPT in November 2022 and subsequent “AI boom” has sparked fevered speculation of where AI can be applied and what it could do for the financial services industry. The latest PwC CEO Survey captures the mood. […]

Blog

UK Banks Feel Pain of Iran Sanctions Evasion Lapses

The Financial Times headline is damaging enough by itself: “Iran used Lloyds and Santander accounts to evade sanctions”. This is exactly the sort of high-profile publicity nightmare financial institutions are desperate to avoid. The reputational risk from such revelations – especially when they’re disseminated by a globally-renowned publication like the Financial Times – can have […]

Blog

ESG at a Crossroads: What Next For 2024 and Beyond?

Environmental, social and governance (ESG) aligned funds were, until recently, a one-way bet for the investment industry. The future looks less assured. ESG has turned into a highly sensitised issue, LSEG Global Head of Research Robert Jenkins noted in a recent article. “The term ESG has become near toxic and arguably weaponized in the U.S.” […]

Blog

Will Your Project End Well?

A project is a mini-series, not a soap opera (although sometimes during a project’s lifecycle it can feel like it will never end). In other words, a contained event with a beginning (initiation and planning), a middle (implementation) and end (delivery and use). A project can be defined as “a complex, non-routine, one-time effort limited […]

VIEW ALL RESOURCES